I'm getting these errors in my logs on indexer:
11-04-2016 02:44:58.058 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Nov 4 04:44:49 2016). Context: source::/opt/bmc/ARSystem/db/aruser.log|host::ln98622|ARS log|253
11-04-2016 02:45:05.135 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Nov 4 04:44:56 2016). Context: source::/opt/bmc/ARSystem/db/aruser.log|host::ln98621|ARS log|964
11-04-2016 02:45:11.390 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Nov 4 04:45:06 2016). Context: source::/opt/bmc/ARSystem/db/aruser.log|host::ln98622|ARS log|256
Timestamps in the log files are like this, starting at position 173 and running to position 206
/* Thu Nov 03 2016 22:52:17.2644 */
I've set the following in the props.conf:
TIME_PREFIX = \/\*.
TIME_FORMAT = %a %b %d %Y %H:%M:%S.%4N
Lookahead = 35
Have I done something incorrectly?
The errors are not continuous, but fairly frequent.
thanks... Brad
Perhaps reading too quickly but where you have "Lookahead" in your props did you mean MAX_TIMESTAMP_LOOKAHEAD?
Hi Brad,
Not sure if this is the info that can help you, but you can use Splunk Add-on for BMC Remedy to help you to create and update incidents in Remedy system from the Splunk platform:
https://splunkbase.splunk.com/app/3087
This add-on does not collect any data though. You can refer to the documentation here:
http://docs.splunk.com/Documentation/AddOns/released/Remedy/About
Thanks!