Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Received error warning "Failed to parse timestamp. Defaulting to timestamp of previous event". How can I find which event in the source log threw this error?

kteng2024
Path Finder
‎02-23-2017 12:11 PM

i am trying to debug an issue "failed to parse timestamp". In the splunkd log, i see the following warning :-

02-23-2016 13:55:38.721 -0500 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Feb 23 13:55:38 2016). Context: source::xxxxx.log|host:yyyyy|xyz_log|1123

since this warning is from splunkd.log, the timestamp it showing is indexer time. but i want to know what is the event in the source log when the splunkd is throwing this error, so that i can better the understand reason.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-25-2017 03:37 AM

Like this:

index=* _indextime=<Convert '02-23-2016 13:55:38.721 -0500' to epoch manually> _time=<Convert 'Thu Feb 23 13:55:38 2016' to epoch manually> source=xxxxx.log host=yyyyy
0 Karma
Reply

DalJeanis
Legend
‎02-23-2017 12:15 PM

Start by looking at the _raw for all events where _time = Thu Feb 23 13:55:38 2016
with the given source and host. There shouldn't be more than a couple.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...