Re: DateParserVerbose Failed to parse timestamp in...

hketer · ‎04-20-2022

Hi,

We have event with time field Time=1650461136000
Props configuration parsing the time into
_time: 2022-04-20 16:25:36
_indextime: 04/20/2022 16:22:43

[props]

TIME_PREFIX = ,\Time\=
TIME_FORMAT = %s%3N

That means the data ingest with future time.

With that being said, what are we missing?
Why we still receive the warning
"WARN Date ParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (350) characters of event. Defaulting to timestamp of previous event"

Thank you!

gcusello · ‎04-20-2022

Hi @hketer,

I suppose that you already checked the clocks of all the systems and that they are all aligned with an NTP server.

Then, could you share a sample of your logs with the wrong timestamp?

Ciao.

Giuseppe

hketer · ‎04-20-2022

Hi,

Thank you for the replay.

The Epochtime is the same as the _time
unfortunately I can't share the raw event.

gcusello · ‎04-20-2022

Hi @hketer,

sorry but I asked a different question: did you checked that the clock of the target server and the one of Indexers are aligned with an NTP server?

It seems that there a different time between them.

If you can't share events I cannot check the timestamp extraction, mask you data before sharing it.

Ciao.

Giuseppe

DateParserVerbose Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD

configuration

using Splunk Enterprise

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud