Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If the Universal Forwarder doesn't do parsing, why do I see an abundance of "Failed to parse timestamp" errors in splunkd.log?

RJ_Grayson
Path Finder
‎11-22-2016 08:15 AM

I'm currently troubleshooting some data inputs from a Universal Forwarder that I have forwarding to an intermediate Heavy Forwarder tier which forwards to my Indexer tier. I was under the understanding that Universal Forwarders should not do any parsing, however, when I look at the Universal forwarder splunkd.log files, I'm seeing quite a lot of "Failed to parse timestamp" and "The TIME_FORMAT specified is matching timestamps outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE." on the Universal Forwarder.

If the UF is supposed to be sending streams of data and skipping any parsing operations, why am I see these errors at the UF?

Sample logs I'm seeing on the Universal Forwarder:

11-22-2016 01:37:15.717 +0000 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (ZERO_TIME) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: removed

11-22-2016 01:37:15.717 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Tue Nov 22 01:36:58 2016). Context: removed
Reply

woodcock
Esteemed Legend
‎03-11-2017 01:15 PM

Did you install the UF version of Splunk (there are different packages)? Have you deployed any INDEXED_EXTRACTIONS= configurations to the UF?

0 Karma
Reply

mrgibbon
Contributor
‎11-22-2016 02:56 PM

Have you tried grabbing a sample of the data and using that to go through the "Add Data" wizard on another Splunk machine?
That might give you a heads up on the formatting needed on the time-stamp and also allow you to play with settings until its correct.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...