https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473211#M24363 <P>are the events really have the same timestamp?<BR /> see nice elaborated answer here:<BR /> <A href="https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html">https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html</A></P> Fri, 01 Nov 2019 03:13:01 GMT adonio 2019-11-01T03:13:01Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473210#M24362 <P>Hi,</P> <P>I'm facing issue with data forwarding to splunk. i'm not sure where data being dropped and its happening randomly.<BR /> Details:<BR /> I have text (key-value pair) file with 6.5 million lines(events) with same timestamp (_time) configured. <BR /> but while ingesting file to splunk via Heavy forwarder, it automatically incrementing _time +1 sec for every 100k or 200k events randomly.<BR /> Observation:<BR /> if the _time +1 sec increment happens for every 100k events, then no issues data completely ingest to splunk.<BR /> if some times _time +1 sec increment happens for 200+k events, we are observing data drop, only 4 to 4.5 million events got ingested out of 6.5 million events.</P> <P>splunk log giving this warning:<BR /> WARN DateParserVerbose - The same timestamp has been used for 500K consecutive times. If more than 200K events have the same timestamp, not all events may be retrieveable</P> <P>Splunk Environment details:<BR /> Splunk Version: 7.2.6<BR /> OS: AWS Linux Machine</P> <P>Could you please advice what is root cause of this issue and remedy for same.</P> <P>Thanks In Advance !!!.<BR /> Mani</P> Fri, 01 Nov 2019 02:37:19 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473210#M24362 manikandankasi 2019-11-01T02:37:19Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473211#M24363 <P>are the events really have the same timestamp?<BR /> see nice elaborated answer here:<BR /> <A href="https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html">https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html</A></P> Fri, 01 Nov 2019 03:13:01 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473211#M24363 adonio 2019-11-01T03:13:01Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473212#M24364 <P>Thanks Adonio for reply..<BR /> yes all 6.5 million event has same timestamp.<BR /> My concern is the data drop happening randomly. not consistence. how some times increment +1 sec for every 100k events and some time 200+k events.<BR /> Does Splunk version 7.2.6 has the capability to handle this scenario?<BR /> Could you please advise any work around for same. is there any limits needs to updated to handle this?</P> <P>Thanks,<BR /> Mani</P> Fri, 01 Nov 2019 03:44:00 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473212#M24364 manikandankasi 2019-11-01T03:44:00Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473213#M24365 <P>you can add the index time timestamp to each event<BR /> in <CODE>props.conf</CODE> under the relevant sourcetype stanza, add:<BR /> <CODE>DATETIME_CONFIG = CURRENT</CODE><BR /> read here more:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/admin/Propsconf">https://docs.splunk.com/Documentation/Splunk/8.0.0/admin/Propsconf</A></P> Fri, 01 Nov 2019 12:09:38 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-heavy-forwarder-data-forwarding-issue-WARN/m-p/473213#M24365 adonio 2019-11-01T12:09:38Z