Hi Folks,
we have below format logs and there is no time stamp on first 5 lines and we are getting error "failed to parse timestamp defaulting to file mtime error" while indexing the data. We have e created some timezone and prefix on props.conf but it doesn't fix the issue. Could you please anyone help me to fix the issue?
logs example:
*
* ACTdIVE TRACE wLEVEL 1
* ACsTIVE TRAsCE CsOMPONENTS all, MJ
*
M sysno s00
M sid P015
M systemid 3290 (AMD/Inddtel x86_64 with Lgeiewnux)
M relno 742e0
M patchlevel 01
M patchno 439d
M Sun Sep 17 10:42:57 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
Props.conf
[ ]
SHOULD_LINEMERGE=false
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)\w{1}\s\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}
It looks like your timestamp lookahead needs to be at least 200-300 characters to find that one.
It might be best to try to figure out a good timestamp prefix to use. if it is always right after the patchno, then perhaps something like
TIME_PREFIX = M patchno.{6,15}M\d
https://answers.splunk.com/answers/318191/timestamp-lookahead-questions.html