Splunk Enterprise

How do I fix this : Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD?

super_saiyan
Communicator

I've deployed below props to  extract the time splunk. There are WARN messages in splunkd logs as follows DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (12) characters of event. Defaulting to timestamp of previous event. 

please refer to the below log 

 

Hounsaya     add_user      4               Thu Sep 15 10:09 - 26:39 (60+00:47)
 

Can you please help and let me know if i need to make any changes?

 

Labels (2)
0 Karma

super_saiyan
Communicator

Hi @richgalloway  Many thanks for your quick response. Below is my props.conf

 

TIME_PREFIX = (Sun|Mon|Tue|Wed|Thu|Fri|Sat)\s
 
TIME_FORMAT = %b %d %H:%M
 
NO_BINARY_CHECK = true
 
SHOULD_LINEMERGE = false
 
0 Karma

richgalloway
SplunkTrust
SplunkTrust

That looks like it should work, but here's an alternative to try:

TIME_PREFIX = \d\s+
TIME_FORMAT = %a %b %d %H:%M
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share the props.conf settings for the sorucetype, especially TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...