Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

failed to parse timestamp for event

keiichilam
Explorer
‎10-02-2011 08:48 PM

HI

My splunk failed to parse timestamp of one of the inbound syslog.

10-03-2011 10:55:18.119 +0800 WARN DateParserVerbose - Failed to parse timestamp for event. Context="source::udp:514|host::TSSSYSLOG01|syslog|" Text="172.18.12.21, -, -, N, 2011-10-03, 11:02:45, 1, -, -, ProxyAV_Sec, 172.18.12.25, 1344, 906, 193, 0, ..."

I have renamed the sourcetype as proxyav in transforms.conf

in props.conf, I added follow
[proxyav]

SHOULD_LINEMERGE = false

# MAX_TIMESTAMP_LOOKAHEAD=60

# TIME_PREFIX = ^[^\,]+\,[^\,]+\,[^\,]+\,[^\,]+\,\s

# TIME_FORMAT = %Y-%m-%d, %T

# TIME_PREFIX = ^[^\,]+\,[^\,]+\,[^\,]+\,[^\,]+\,\s

TIME_FORMAT = %Y-%m-%d, %H:%M:%S,

KV_MODE = none

I did also tried various remarked setting, but no luck to remove the parse error. Could anyone give me a hand?

Best Regards

Tags (3)
0 Karma
Reply

mzorzi
Splunk Employee
Splunk Employee
‎10-03-2011 01:47 AM

You should use the TIME_PREFIX, instead of ^[^,], I would use a regex for the ip, then a non space, like \S

Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...