Why am I receiving timestamp parsing errors in my ...

BradTaylor · ‎11-03-2016

I'm getting these errors in my logs on indexer:

11-04-2016 02:44:58.058 -0400 WARN  DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Nov  4 04:44:49 2016). Context: source::/opt/bmc/ARSystem/db/aruser.log|host::ln98622|ARS log|253
11-04-2016 02:45:05.135 -0400 WARN  DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Nov  4 04:44:56 2016). Context: source::/opt/bmc/ARSystem/db/aruser.log|host::ln98621|ARS log|964
11-04-2016 02:45:11.390 -0400 WARN  DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Nov  4 04:45:06 2016). Context: source::/opt/bmc/ARSystem/db/aruser.log|host::ln98622|ARS log|256

Timestamps in the log files are like this, starting at position 173 and running to position 206

/* Thu Nov 03 2016 22:52:17.2644 */

I've set the following in the props.conf:

TIME_PREFIX = \/\*.
TIME_FORMAT =  %a %b %d %Y %H:%M:%S.%4N

Lookahead = 35

Have I done something incorrectly?

The errors are not continuous, but fairly frequent.

thanks... Brad

mtranchita · ‎11-17-2016

Perhaps reading too quickly but where you have "Lookahead" in your props did you mean MAX_TIMESTAMP_LOOKAHEAD?

hunters_splunk · ‎11-04-2016

Hi Brad,

Not sure if this is the info that can help you, but you can use Splunk Add-on for BMC Remedy to help you to create and update incidents in Remedy system from the Splunk platform:

https://splunkbase.splunk.com/app/3087

This add-on does not collect any data though. You can refer to the documentation here:

http://docs.splunk.com/Documentation/AddOns/released/Remedy/About

Thanks!

Why am I receiving timestamp parsing errors in my BMC Remedy logs?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life