Hi woodcook,
Can you please provide me a solution for this, here's our path
UFs------>HF------->splunk
we're seeing this warn messages on our HF
05-02-2016 16:36:21.908 -0500 WARN DateParserVerbose - Accepted time format has changed ((?i)(?<!\w|\d[:\.\-])(?i)(?<![\d\w])(jan|\x{3127}\x{6708}|feb|\x{4E8C}\x{6708}|mar|\x{4E09}\x{6708}|apr|\x{56DB}\x{6708}|may|\x{4E94}\x{6708}|jun|\x{516D}\x{6708}|jul|\x{4E03}\x{6708}|aug|\x{516B}\x{6708}|sep|\x{4E5D}\x{6708}|oct|\x{5341}\x{6708}|nov|\x{5341}\x{3127}\x{6708}|dec|\x{5341}\x{4E8C}\x{6708})[a-z,\.;]*([/\- ]) {0,2}(?i)(0?[1-9]|[12]\d|3[01])(?!:) {0,2}(?:\d\d:\d\d:\d\d(?:[\.\,]\d+)? {0,2}(?i)((?:(?:UT|UTC|GMT(?![+-])|CET|CEST|CETDST|MET|MEST|METDST|MEZ|MESZ|EET|EEST|EETDST|WET|WEST|WETDST|MSK|MSD|IST|JST|KST|HKT|AST|ADT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|CAST|CADT|EAST|EADT|WAST|WADT|Z)|(?:GMT)?[+-]\d\d?:?(?:\d\d)?)(?!\w))?)?((?:\2|,) {0,2}(?i)(20\d\d|19\d\d|[901]\d(?!\d)))?(?!/|\w|\.\d)), possibly indicating a problem in extracting timestamps. Context: source::/opt/apps/miware/server/jvm01/log/server.log|host::ws97yelx|log4j|135220
05-02-2016 16:38:34.387 -0500 WARN DateParserVerbose - A possible timestamp match (Mon Jan 2 16:38:31 2017) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::/opt/apps/mware-6.4/tst/jvm01/log/server.log|host::wn76yflx|log4j|3160
05-02-2016 16:38:34.387 -0500 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Jan 7 16:38:31 2016). Context:source::/opt/apps/mware-6.4/tst/jvm01/log/server.log|host::wn76yflx|log4j|3160
I did run this search and found many of the hosts and sourcetypes are showing date_zone= -300
index=* NOT date_zone=local | eval lagSecs=_indextime - _time | stats avg(lagSecs) by index,sourcetype,host,date_zone
... View more
