Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

troubleshooting.

whitecat001
Explorer
‎02-29-2024 07:42 AM

Am getting a warning of 

  DateParserVerbose - Accepted time (Wed Feb 14 17:01:12 2024) is suspiciously far away from previous event  (Thu jan  18 17:01:12 2024) is still acceptable because it was extracted by the same pattern 

Is there any configuration that can help take this error away in splunk

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-29-2024 09:28 AM
Quite possibly there are missing time format on your props.conf. For that reason splunk guess between mm/dd/yyyy and dad/mm/yyyy formats.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-29-2024 08:59 AM

Make sure the props.conf settings for that sourcetype have the correct time settings.  Specifically, check the TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD values.

Confirm the data source is sending the right events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

whitecat001
Explorer
‎02-29-2024 12:04 PM

The first event that came in doesnt have a timestamp which is the reason for the error but the other events are extracted properly

Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...