I'm getting "DateParserVerbose - Failed to parse timestamp" from a syslog source. I'm a pretty inexperienced Splunk user, but the TIME_FORMAT
value is %b %d %H:%M:%S
, which looks right to me??? I want to parse the timestamp at the beginning of the message.
Here's a sample message:
Apr 21 15:38:31 10.144.15.220 device01: *osapiBsnTimer: Apr 21 15:38:31.784: #NFA_V9-3-FAIL_SEND_MSG: [PS] nfa_timer.c:67 The system has failed to Send Msg to the NetFlow Task - One Second Timer Message could not be sent. Return Code (1)
Here's the warning:
04-21-2016 15:38:31.587 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 21 15:38:31 2016). Context: source::udp:3514|host::10.144.15.220|syslog|
And here's the sourcetype definition:
[syslog]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG =
HEADER_MODE =
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 32
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
NO_BINARY_CHECK = true
REPORT-syslog = syslog-extractions
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^
TRANSFORMS = syslog-host
TRUNCATE = 10000
category = Operating System
description = Output produced by many syslog daemons, as described in RFC3164 by the IETF
detect_trailing_nulls = false
disabled = false
maxDist = 3
priority =
pulldown_type = true
sourcetype =
If you want to use the 'first' timestamp as your MAX_TIMESTAMP_LOOKAHEAD to a smaller value.
Thanks for the response, but the second timestamp begins at byte #56. Shouldn't Splunk ignore it?
That's fine. I was guessing you wanted to use the '2nd' time-stamp, but you didn't specify.
Your TIME_PREFIX = ^ tells Splunk that the timestamp is immediately at the beginning of the event. Make a regex that it starts at the 2nd.
Ah, great point. I'm sorry I didn't include that obvious detail. I want to use the timestamp at the beginning of the message. I'll fix my original post.