Received error warning "Failed to parse timestamp.... - Splunk Community

Splunk Search

i am trying to debug an issue "failed to parse timestamp". In the splunkd log, i see the following warning :-

02-23-2016 13:55:38.721 -0500 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Feb 23 13:55:38 2016). Context: source::xxxxx.log|host:yyyyy|xyz_log|1123

since this warning is from splunkd.log, the timestamp it showing is indexer time. but i want to know what is the event in the source log when the splunkd is throwing this error, so that i can better the understand reason.

Like this:

index=* _indextime=<Convert '02-23-2016 13:55:38.721 -0500' to epoch manually> _time=<Convert 'Thu Feb 23 13:55:38 2016' to epoch manually> source=xxxxx.log host=yyyyy

Start by looking at the _raw for all events where _time = Thu Feb 23 13:55:38 2016
with the given source and host. There shouldn't be more than a couple.

Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering. Because we’ve ...