Splunk Search

Another "DateParserVerbose - Failed to parse timestamp" warning

_smp_
Builder

I'm getting "DateParserVerbose - Failed to parse timestamp" from a syslog source. I'm a pretty inexperienced Splunk user, but the TIME_FORMAT value is %b %d %H:%M:%S, which looks right to me??? I want to parse the timestamp at the beginning of the message.

Here's a sample message:

Apr 21 15:38:31 10.144.15.220 device01: *osapiBsnTimer: Apr 21 15:38:31.784: #NFA_V9-3-FAIL_SEND_MSG: [PS] nfa_timer.c:67 The system has failed to Send Msg to the NetFlow Task - One Second Timer Message could not be sent. Return Code (1)

Here's the warning:

04-21-2016 15:38:31.587 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 21 15:38:31 2016). Context: source::udp:3514|host::10.144.15.220|syslog|

And here's the sourcetype definition:

[syslog]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE = 
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = 
HEADER_MODE = 
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 32
MUST_BREAK_AFTER = 
MUST_NOT_BREAK_AFTER = 
MUST_NOT_BREAK_BEFORE = 
NO_BINARY_CHECK = true
REPORT-syslog = syslog-extractions
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^
TRANSFORMS = syslog-host
TRUNCATE = 10000
category = Operating System
description = Output produced by many syslog daemons, as described in RFC3164 by the IETF
detect_trailing_nulls = false
disabled = false
maxDist = 3
priority = 
pulldown_type = true
sourcetype = 

petercow
Path Finder

If you want to use the 'first' timestamp as your MAX_TIMESTAMP_LOOKAHEAD to a smaller value.

_smp_
Builder

Thanks for the response, but the second timestamp begins at byte #56. Shouldn't Splunk ignore it?

0 Karma

petercow
Path Finder

That's fine. I was guessing you wanted to use the '2nd' time-stamp, but you didn't specify.

Your TIME_PREFIX = ^ tells Splunk that the timestamp is immediately at the beginning of the event. Make a regex that it starts at the 2nd.

0 Karma

_smp_
Builder

Ah, great point. I'm sorry I didn't include that obvious detail. I want to use the timestamp at the beginning of the message. I'll fix my original post.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...