Why is TIME_FORMAT failing for importing data?
I get the error:
Could not use strptime to parse timestamp from "INFO: Manager: list: Lis"
Raw log is repeating sections like:
Sep 06, 2018 12:00:56 AM org.apache.catalina.core.ApplicationContext log
INFO: Manager: list: Listing contexts for virtual host 'localhost'
Sep 06, 2018 12:01:56 AM org.apache.catalina.core.ApplicationContext log
INFO: Manager: list: Listing contexts for virtual host 'localhost'
Sep 06, 2018 12:02:56 AM org.apache.catalina.core.ApplicationContext log
INFO: Manager: list: Listing contexts for virtual host 'localhost'
I am using the following values in props.conf:
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
MAX_TIMESTAMP_LOOKAHEAD=24
disabled=false
TIME_PREFIX=^
LINE_BREAKER=^\w{3} \d{2}, \d{4} \d{2}:\d{2}:\d{2}
TIME_FORMAT=%b %d, %Y %H:%M:%S %p
Splunk will not accept my timeformat that I have defined above... and I am not sure why.
Try these props.conf settings.
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
CHARSET=UTF-8
MAX_TIMESTAMP_LOOKAHEAD=24
disabled=false
TIME_PREFIX=^
LINE_BREAKER=([\r\n]+)
TIME_FORMAT=%b %d, %Y %H:%M:%S %p
Unfortunately this still breaks in the same fashion. 😞
It is a good thought on the LINE_BREAKER though.