Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why the wrong timestamps are being parsed for a dhcpd.leases file?

bloxhorne
New Member
‎06-17-2016 12:51 PM

I'm trying to read in a dhcpd.leases file, but some of my entries are getting the wrong timestamp, and I'm not sure how to debug it.

When I first load the file, the parser recognizes the correct time stamp:

alt text

But then, when reviewing the events, a lot of them (~25%) have the wrong timestamp

alt text

Note the _time is 9/17/16 instead of 6/24/14
Is this just a problem with auto extraction of the timestamp?
Is there a way to debug the extraction with these events ?

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

splunk_force_as
Path Finder
‎06-17-2016 04:08 PM

You will need to add the following configurations to your props.conf. These configurations will tell splunk exactly where to look for your timestamp. You can also add these configuration via the GUI will uploading data. These are index time extractions so that won't update/change any data that's currently written to disk.

TIME_PREFIX= [\r\n]starts\s+\S+\s+
TIME_FORMAT = %Y/%m/%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 23

To add these configs via the GUI complete the following fields:

Timestamp format: %Y/%m/%d %H:%M:%S
Timestamp prefix:  [\r\n]starts\s+\S+\s+
Lookahead: 23

To troubleshoot issues, I would look at: 

index = _internal log_level = WARN OR log_level =ERROR  "timestamp"
0 Karma
Reply

bloxhorne
New Member
‎06-18-2016 10:43 AM

Yeah, I poked around with those regex settings, it fixed some of the problems, but there were still some oddnesses like this.

alt text

looking at the splunkd.log, I assume this is because the event is more than 2000 days old.

DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event
The TIME_FORMAT specified is matching timestamps (Fri Jun 18 14:48:58 2010) outside of the acceptable time window. If this timestamp is correct,
consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE
Preview file
1 KB
0 Karma
Reply

splunk_force_as
Path Finder
‎06-20-2016 04:19 PM

You can update those settings in props.conf, but keep in mind the retention policy. By default, splunk deletes data older than ~6 years. You may need to increase you frozen time period in secs setting in indexes.conf to ensure that the data isn't deleted.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...