timestamp parsing issue for a specific time - Splunk Community

Splunk Search

my log is:

2016-12-22 00:01:11,076 [myid:123] - INFO [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] - Accepted data from

in the props:

TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N

but i am still getting this error " failed to parse the timestamp" . after increasing the lookahead value , this error was disappeared for some time and it started to come back again. can anyone please help me to figure out what might be the issue .

You are going to have to find the events that are different that what you are expecting. Start by searching broadly and using the Patterns tab and the punct field to discern differences in log structure.

The length of the timestamp is 23 characters, not 30, so you need:

MAX_TIMESTAMP_LOOKAHEAD = 23

i added the buffer of 7 .

Don't do that.

MAX_TIMESTAMP_LOOKAHEAD value should be 23, length of timestamp.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...