Getting Data In

How to resolve a "DateParserVerbose - Failed to parse timestamp" error with Ironport logs?

babcolee
Path Finder

I have an Ironport log file that looks like the following:

Thu Nov 17 16:11:20 2016 Info: MID 123456789 ICID 123456789 To:  Rejected by Receiving Control
Thu Nov 17 16:11:20 2016 Info: MID 123456789 queued for delivery
Thu Nov 17 16:11:20 2016 Info: MID 123456789 Outbreak Filters: verdict negative
Thu Nov 17 16:11:20 2016 Info: Message finished MID 123456789 aborted
Thu Nov 17 16:11:20 2016 Info: Message aborted MID 123456789 Receiving aborted by sender

I have configured the props.conf on the indexer under the /opt/splunk/etc/system/local as the following but I am still getting the "Failed to parse timestamp" errors.

[source::/var/log/proxy/ironport/*/mail.*@*.s]
SHOULD_LINEMERGE = false
TIME_FORMAT = %a %b %_d %H:%M:%S %Y
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25

The full error message is

11-17-2016 17:09:58.593 +0000 WARN  DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Nov 17 16:22:07 2016). Context: source::/var/log/proxy/ironport/mail.text.mariner.yyy.corp.com.@20161117T162003.s|host::xxxxxslg01.xxxx.company.com|cisco_esa|376273
0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

Remove the time_format and time_prefix settings. Splunk will read that timestamp correctly. I copied/pasted your log data into a file, uploaded it, and timestamps were extracted auto-magically.

0 Karma

babcolee
Path Finder

Thank you!

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I just realized this is still out there. Sorry I missed that.
Have you seen:
http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IronPort_Web_Security_Appliance
This might be the easiest thing to do, as Cisco_WSA_squid is a known sourcetype, and should make you life alot easier.

0 Karma

babcolee
Path Finder

We have already configured the Ironport feeds with a rename of the sourcetype to cisco:esa:legacy and linked it to the CIM model so any change is not possible. I have approached Splunk Support and they have referred me back to Splunk Answers since this is not a break fix. However, this is not working as prescribed so we are looking for some help to resolve this issue

0 Karma

babcolee
Path Finder

It seemed to be working for awhile but I am seeing the same message again

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...