Hi All, I've deployed below props to splunk SHC and IDX clusters but fields are not extracted in splunk. There are WARN messages in splunkd logs as follows DateParserVerbose - Failed to parse timest...
See more...
Hi All, I've deployed below props to splunk SHC and IDX clusters but fields are not extracted in splunk. There are WARN messages in splunkd logs as follows DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (50) characters of event. Defaulting to timestamp of previous event (Thu Jan 21 14:02:33 2016). Can you please help and let me know if i need to make any changes? [props] TIME_PREFIX=^ TIME_FORMAT=%d-%b-%Y %I.%M.%S.%6Q %p MAX_TIMESTAMP_LOOKAHEAD=50 SHOULD_LINEMERGE=false NO_BINARY_CHECK=true LINE_BREAKER=([\r\n])\d+\-\w+\-\d+\s+\d+\.\d+\.\d+\.\d+\s+\w+\s EXTRACT-field1=regex EXTRACT-field2=regex Sample events: 29-APR-21 09.44.57.234427 AM ,TEST , 11,Login ,2098856,4 29-APR-21 09.44.56.234428 AM ,TEST , 12,Login ,2098856,4