Received error warning "Failed to parse timestamp.... - Splunk Community

Splunk Search

i am trying to debug an issue "failed to parse timestamp". In the splunkd log, i see the following warning :-

02-23-2016 13:55:38.721 -0500 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Feb 23 13:55:38 2016). Context: source::xxxxx.log|host:yyyyy|xyz_log|1123

since this warning is from splunkd.log, the timestamp it showing is indexer time. but i want to know what is the event in the source log when the splunkd is throwing this error, so that i can better the understand reason.

Like this:

index=* _indextime=<Convert '02-23-2016 13:55:38.721 -0500' to epoch manually> _time=<Convert 'Thu Feb 23 13:55:38 2016' to epoch manually> source=xxxxx.log host=yyyyy

Start by looking at the _raw for all events where _time = Thu Feb 23 13:55:38 2016
with the given source and host. There shouldn't be more than a couple.

Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Observe and Secure All Apps with Splunk

Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us for an ...