I'm getting "DateParserVerbose - Failed to parse timestamp" from a syslog source. I'm a pretty inexperienced Splunk user, but the
TIME_FORMAT value is
%b %d %H:%M:%S, which looks right to me??? I want to parse the timestamp at the beginning of the message.
Here's a sample message:
Apr 21 15:38:31 10.144.15.220 device01: *osapiBsnTimer: Apr 21 15:38:31.784: #NFA_V9-3-FAIL_SEND_MSG: [PS] nfa_timer.c:67 The system has failed to Send Msg to the NetFlow Task - One Second Timer Message could not be sent. Return Code (1)
Here's the warning:
04-21-2016 15:38:31.587 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 21 15:38:31 2016). Context: source::udp:3514|host::10.144.15.220|syslog|
And here's the sourcetype definition:
[syslog] ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = HEADER_MODE = LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 32 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = NO_BINARY_CHECK = true REPORT-syslog = syslog-extractions SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = False TIME_FORMAT = %b %d %H:%M:%S TIME_PREFIX = ^ TRANSFORMS = syslog-host TRUNCATE = 10000 category = Operating System description = Output produced by many syslog daemons, as described in RFC3164 by the IETF detect_trailing_nulls = false disabled = false maxDist = 3 priority = pulldown_type = true sourcetype =
That's fine. I was guessing you wanted to use the '2nd' time-stamp, but you didn't specify.
Your TIME_PREFIX = ^ tells Splunk that the timestamp is immediately at the beginning of the event. Make a regex that it starts at the 2nd.