Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Another "DateParserVerbose - Failed to parse t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another "DateParserVerbose - Failed to parse timestamp" warning
I'm getting "DateParserVerbose - Failed to parse timestamp" from a syslog source. I'm a pretty inexperienced Splunk user, but the TIME_FORMAT value is %b %d %H:%M:%S, which looks right to me??? I want to parse the timestamp at the beginning of the message.
Here's a sample message:
Apr 21 15:38:31 10.144.15.220 device01: *osapiBsnTimer: Apr 21 15:38:31.784: #NFA_V9-3-FAIL_SEND_MSG: [PS] nfa_timer.c:67 The system has failed to Send Msg to the NetFlow Task - One Second Timer Message could not be sent. Return Code (1)
Here's the warning:
04-21-2016 15:38:31.587 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 21 15:38:31 2016). Context: source::udp:3514|host::10.144.15.220|syslog|
And here's the sourcetype definition:
[syslog]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG =
HEADER_MODE =
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 32
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
NO_BINARY_CHECK = true
REPORT-syslog = syslog-extractions
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^
TRANSFORMS = syslog-host
TRUNCATE = 10000
category = Operating System
description = Output produced by many syslog daemons, as described in RFC3164 by the IETF
detect_trailing_nulls = false
disabled = false
maxDist = 3
priority =
pulldown_type = true
sourcetype =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to use the 'first' timestamp as your MAX_TIMESTAMP_LOOKAHEAD to a smaller value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, but the second timestamp begins at byte #56. Shouldn't Splunk ignore it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's fine. I was guessing you wanted to use the '2nd' time-stamp, but you didn't specify.
Your TIME_PREFIX = ^ tells Splunk that the timestamp is immediately at the beginning of the event. Make a regex that it starts at the 2nd.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, great point. I'm sorry I didn't include that obvious detail. I want to use the timestamp at the beginning of the message. I'll fix my original post.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
