I have an Ironport log file that looks like the following:
Thu Nov 17 16:11:20 2016 Info: MID 123456789 ICID 123456789 To: Rejected by Receiving Control
Thu Nov 17 16:11:20 2016 Info: MID 123456789 queued for delivery
Thu Nov 17 16:11:20 2016 Info: MID 123456789 Outbreak Filters: verdict negative
Thu Nov 17 16:11:20 2016 Info: Message finished MID 123456789 aborted
Thu Nov 17 16:11:20 2016 Info: Message aborted MID 123456789 Receiving aborted by sender
I have configured the props.conf on the indexer under the /opt/splunk/etc/system/local as the following but I am still getting the "Failed to parse timestamp" errors.
[source::/var/log/proxy/ironport/*/mail.*@*.s]
SHOULD_LINEMERGE = false
TIME_FORMAT = %a %b %_d %H:%M:%S %Y
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
The full error message is
11-17-2016 17:09:58.593 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Nov 17 16:22:07 2016). Context: source::/var/log/proxy/ironport/mail.text.mariner.yyy.corp.com.@20161117T162003.s|host::xxxxxslg01.xxxx.company.com|cisco_esa|376273
↧
