I am seeing many `Failed to parse timestamp. Defaulting to timestamp of previous event`.
I have configured the props.conf using the `TIME_PREFIX = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} or TIME_FORMAT = +%Y-%m-%d %H:%m:%S` and I even tried using a datetime.xml from the link http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem and I still get errors. I have tried using with and without `LINE_BREAKER = ([\r\n]+)`. We are also doing inline field extraction as `?[^\s]+)\s+(?[^\s]+)\s+(?[^\s]+)` during search time to try and get away from the errors.
The log file looks like this
2016-09-27 08:17:53 5035 XXX.XXX.XXX.XXX V123456 - - OBSERVED "Personals/Dating" http://www.match.com/favorites/AddEntry.aspx?uid=fHaa9bdvp8nKGVRcFqiUEQ2 200 TCP_NC_MISS POST application/json;charset=UTF-8 http das01.rtn.services.match.com 6080 /live/web/connect - - "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" XXX.XXX.XXX.XXX 358 1893 - "none" "none" 463b0440cb7614fa-0000000087ac7413-0000000057ea2b2c - -
↧