Simple setup, two different sites with a single clustered Indexer in each, a local Heavy Forwarder that is also the deployment server for the UF's, and a SH in each site.
I've deployed the TA_docker_simple app in both sites, installed on both HF's and the intended docker servers at each site. Works great in one site but I get no data indexed in the other. All UF's send in the data from the .sh scripts that the app contains (I can see event counts in their metrics.log) but on the problem site HF, I'm seeing messages like this:
06-27-2022 21:00:50.057 +0000 WARN DateParserVerbose - Accepted time (Fri Apr 1 18:31:29 2022) is suspiciously far away from the previous event's time (Fri Apr 1 19:46:38 2022), but still accepted because it was extracted by the same pattern. Context: source=docker_simple_ps|host=XXXXXX|docker:ps|6581
Which looks like it's trying to use a string date that is in the script output but isn't the timestamp (it's the container creation timestamp). The actual timestamp is an epoch integer at the beginning of each event. Even if it were getting imported with the invalid timestamps I would see the data with a realtime search but I see nothing coming in. I'm not sure how to resolve this. Both sites are using the same copy of the app on the HF (minus the inputs.conf) and on the UFs.
It works perfectly in one site but not the other. I've used btool to verify the props and transforms on the HF's are exactly the same. It's probably something obvious but I can't figure this one out.
