Splunk cannot parse ISO8601/RFC3339 timestamp (e.g...

efcasado · ‎05-09-2017

I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.

I am using the syslog data source, which I configured to parse timestamps with the following format string: %Y-%m-%dT%H:%M:%S.%6N%:z

This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):
[syslog] DATETIME_CONFIG = MAX_TIMESTAMP_LOOKAHEAD = 32 NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z disabled = false

This is how Splunk is outputing my log messages:

2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info] This is just a dummy log message

As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.

gcusello · ‎05-10-2017

Hi efcasado,
having an example of your logs I could test it, but It seems to me that the problem may be on the timezone

%Y-%m-%dT%H:%M:%S.%6N%z

Bye.
Giuseppe

koshyk · ‎05-09-2017

can you please add the raw data here too. Splunk won't add new time as per above config, but I feel it is added by your syslog server or upstream system

Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio