https://community.splunk.com/t5/Getting-Data-In/Splunk-data-forwarding-and-indexing-data-drop-issue/m-p/473197#M99693 <P>Hi,</P> <P>I'm facing issue with data forwarding to splunk. i'm not sure where data being dropped and its happening randomly.<BR /> Details:<BR /> I have text (key-value pair) file with 6.5 million lines(events) with same timestamp (_time) configured. <BR /> but while ingesting file to splunk via Heavy forwarder, it automatically incrementing _time +1 sec for every 100k or 200k events randomly.<BR /> Observation:<BR /> if the _time +1 sec increment happens for every 100k events, then no issues data completely ingest to splunk.<BR /> if some times _time +1 sec increment happens for 200+k events, we are observing data drop, only 4 to 4.5 million events got ingested out of 6.5 million events.</P> <P>splunk log giving this warning:<BR /> WARN DateParserVerbose - The same timestamp has been used for 500K consecutive times. If more than 200K events have the same timestamp, not all events may be retrieveable</P> <P>Splunk Environment details:<BR /> Splunk Version: 7.2.6<BR /> OS: AWS Linux Machine</P> <P>Could you please advice what is root cause of this issue and remedy for same.</P> <P>Thanks In Advance !!!.<BR /> Mani</P> Fri, 01 Nov 2019 02:33:14 GMT manikandankasi 2019-11-01T02:33:14Z https://community.splunk.com/t5/Getting-Data-In/Splunk-data-forwarding-and-indexing-data-drop-issue/m-p/473197#M99693 <P>Hi,</P> <P>I'm facing issue with data forwarding to splunk. i'm not sure where data being dropped and its happening randomly.<BR /> Details:<BR /> I have text (key-value pair) file with 6.5 million lines(events) with same timestamp (_time) configured. <BR /> but while ingesting file to splunk via Heavy forwarder, it automatically incrementing _time +1 sec for every 100k or 200k events randomly.<BR /> Observation:<BR /> if the _time +1 sec increment happens for every 100k events, then no issues data completely ingest to splunk.<BR /> if some times _time +1 sec increment happens for 200+k events, we are observing data drop, only 4 to 4.5 million events got ingested out of 6.5 million events.</P> <P>splunk log giving this warning:<BR /> WARN DateParserVerbose - The same timestamp has been used for 500K consecutive times. If more than 200K events have the same timestamp, not all events may be retrieveable</P> <P>Splunk Environment details:<BR /> Splunk Version: 7.2.6<BR /> OS: AWS Linux Machine</P> <P>Could you please advice what is root cause of this issue and remedy for same.</P> <P>Thanks In Advance !!!.<BR /> Mani</P> Fri, 01 Nov 2019 02:33:14 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-data-forwarding-and-indexing-data-drop-issue/m-p/473197#M99693 manikandankasi 2019-11-01T02:33:14Z https://community.splunk.com/t5/Getting-Data-In/Splunk-data-forwarding-and-indexing-data-drop-issue/m-p/473198#M99694 <P>I'll suggest here to fix timestamp at source (which is generating this log) so that it will be unique for every event (For example include milliseconds in your timestamp), it will be helpful for few scenario while searching those data.</P> Fri, 01 Nov 2019 08:55:31 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-data-forwarding-and-indexing-data-drop-issue/m-p/473198#M99694 harsmarvania57 2019-11-01T08:55:31Z https://community.splunk.com/t5/Getting-Data-In/Splunk-data-forwarding-and-indexing-data-drop-issue/m-p/473199#M99695 <P>Your sourcetype is not properly extracting the timestamp, OR...your log entries do not include milliseconds.<BR /> In either case, Splunk cannot determine unique events, and generates the messages you described.</P> Fri, 15 Nov 2019 05:40:15 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-data-forwarding-and-indexing-data-drop-issue/m-p/473199#M99695 codebuilder 2019-11-15T05:40:15Z