How do I fix this : Failed to parse timestamp in f...

super_saiyan · ‎09-15-2022

I've deployed below props to extract the time splunk. There are WARN messages in splunkd logs as follows DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (12) characters of event. Defaulting to timestamp of previous event.

please refer to the below log

Hounsaya add_user 4 Thu Sep 15 10:09 - 26:39 (60+00:47)

Can you please help and let me know if i need to make any changes?

super_saiyan · ‎09-15-2022

Hi @richgalloway Many thanks for your quick response. Below is my props.conf

TIME_PREFIX = (Sun|Mon|Tue|Wed|Thu|Fri|Sat)\s

TIME_FORMAT = %b %d %H:%M

NO_BINARY_CHECK = true

SHOULD_LINEMERGE = false

richgalloway · ‎09-16-2022

That looks like it should work, but here's an alternative to try:

TIME_PREFIX = \d\s+
TIME_FORMAT = %a %b %d %H:%M
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎09-15-2022

Please share the props.conf settings for the sorucetype, especially TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD.

---
If this reply helps you, Karma would be appreciated.

How do I fix this : Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD?

configuration

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?