Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Need assistance in writing props: Why is search fa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. I have below logs:
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call), unable to find the logs from this server.
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call), unable to find the logs from this server.
server6z: INFO could not find the logs under this path(apimanager call)
i have mentioned in my props
should_linemerge=false
line_breaker=([\r\n]+)
but i am seeing error like failed to parse timestamp
defaulting to file modtime.
How to resolve this issue.
2. I am getting the same issue as above for this type of logs as well
Sample logs:
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The message "failed to parse timestamp" means Splunk could not find a timestamp in your logs that matches what it expected. Perhaps, and this appears to the case here, there is no timestamp at all.
To fix the problem, make sure the props.conf settings correctly tell Splunk where to find the timestamp in each event and how it is formatted. Specifically, include these settings:
TIME_PREFIX
TIME_FORMAT
MAX_TIMESTAMP_LOOKAHEADFor logs that have no timestamp at all, then let Splunk know that with this props.conf setting, which uses the current time as the event time.
DATETIME_CONFIG = CURRENT
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The message "failed to parse timestamp" means Splunk could not find a timestamp in your logs that matches what it expected. Perhaps, and this appears to the case here, there is no timestamp at all.
To fix the problem, make sure the props.conf settings correctly tell Splunk where to find the timestamp in each event and how it is formatted. Specifically, include these settings:
TIME_PREFIX
TIME_FORMAT
MAX_TIMESTAMP_LOOKAHEADFor logs that have no timestamp at all, then let Splunk know that with this props.conf setting, which uses the current time as the event time.
DATETIME_CONFIG = CURRENT
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
