Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DateParserVerbose errors unable to parse timestamp in IHS stats_log

SPlunkQR
Explorer
‎06-17-2020 05:48 AM

We are seeing tens of thousands of these events daily from Splunk trying to parse the timestamp for events in our IHS stats_log files:

06-17-2020 08:09:29.089 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (27) characters of event. Defaulting to timestamp of previous event (Wed Jun 17 07:53:07 2020).

This is our current props.conf stanza:

[ihs_stats_log]
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
TRANSFORMS-null = ihs_stats_setnull, ihs_stats_setnull_2

And each event looks something like this:

[2020 06 17 04:01:54:505],EMRPROF5,XML_FEB_S_P,SSL,indpoma4,WZ ,9RT0221A,DAL_PERSISTENT,DAL_PERSISTENT,10.200.142.36,1,0,917,39,101,0,7152,140,TAPFIGA ,0000,-

Can anyone see where we went wrong with our props.conf file and why it's not recognizing those event time stamps?

Thanks in advance for your reply.

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

SPlunkQR
Explorer
‎06-22-2020 05:09 AM

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

SPlunkQR
Explorer
‎06-22-2020 05:09 AM

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

0 Karma
Reply
Solved! Jump to solution

SPlunkQR
Explorer
‎06-17-2020 05:58 AM

I didn't see an edit button so I apologize if I just missed it, but I wanted to include our transforms.conf stanzas as well for completeness:

[ihs_stats_setnull]
REGEX = ^[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

[ihs_stats_setnull_2]
REGEX = ^[-|,]{0,18}\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

We found that the log itself does not seem to break lines properly all the time as occasionally there will just be a line like these:
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-
-,-,-,-,-,-,-,-,-,10.240.121.86,-,-,-,-,-,-,-,-,-,-,-

We are trying to send those to the nullQueue.

Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...