Event without timestamp

D2SI · ‎01-12-2020

Dear team,

Thanks for the Add-on, it works great.

I just have plenty of this timestamp issue :

01-12-2020 22:45:55.239 +0000 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (500) characters of event. Defaulting to timestamp of previous event (Sun Jan 12 22:40:00 2020). Context: source=dynatrace_timeseries_metrics://Dynatrace_Timeseries_Metrics|host=heavy-forwarder|dynatrace:metrics|

I believe it is due to this message in sourcetype dynatrace:metrics which has no timestamp :

{"dynatrace_server":"https://rioxxxxx.live.dynatrace.com"}

Would you know if there is a way to get rid of it ?

I mean I can send to nullqueue but I would still got all these timestamp issues I am trying to clean up.

Thanks anyhow

to4kawa · ‎01-12-2020

props.conf:

[dynatrace:metrics]
SEDCMD-delete_dynatraceserver = s/^\{\"dynatrace_server.+$//

If you can erase it, there is this method.

D2SI · ‎01-17-2020

Thanks for suggestion @to4kawa !

Anyhow I am trying to get rid of timestamp issues, and as sedcmd is applied after timestamp assignment I believe I would still get timestamp issues logged just as using transforms nullqueue.

to4kawa · ‎01-17-2020

Do you just give up extracting from logs?

Event without timestamp

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life