All Apps and Add-ons

Why am I getting DateParserVerbose warnings although DATETIME_CONFIG is set to NONE?

krdo
Communicator

Hi,

I'm forwarding CSV files to Splunk. The timestamp for each event in a file should be set to the file's modtime, therefore I've set DATETIME_CONFIG = NONE for the sourcetype in the props.conf on the indexer. This seems to work, but I'm getting lots of the following warnings:

WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sat Apr 20 02:39:10 2013). Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-31-Values.amf|host::MY_HOST|Application Metrics|112033
WARN DateParserVerbose - A possible timestamp match (Mon Sep 24 17:04:52 2007) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-30-Values.amf|host::MY_HOST|Application Metrics|111934

(131364 events produce 1694 warnings)

Why is Splunk trying to find/parse a timestamp? I thought DATETIME_CONFIG = NONE disables the date parser? Is it possible to disable the date parser (for a specific sourcetype)?

Issue occurs on a distributed system (6.4.3) and on a standalone Splunk instance (6.5.0).

EDIT

The props.conf on the forwarder:

###############################################################################
[Application Metrics]
###############################################################################

category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true

# Parsing Phase ###############################################################

CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
FIELD_HEADER_REGEX = ^\s*[kK]ey\s*,
PREAMBLE_REGEX = ^\s*#

props.conf on the indexer:

###############################################################################
[Application Metrics]
###############################################################################

category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true

# Parsing Phase ###############################################################

DATETIME_CONFIG = NONE

Events around the time at which the warnings are logged:

alt text

0 Karma
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions

View solution in original post

dmaislin_splunk
Splunk Employee
Splunk Employee

Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions

krdo
Communicator

Thanks for the reply,
I'll try that. Should I change the props.conf on the indexer as well?
Does DATETIME_CONFIG even influence the forwarder's behavior? Looking at http://wiki.splunk.com/Community:HowIndexingWorks it seems like it is only used by the indexer.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

You can remove that on the indexer as indexed extractions are done on the forwarder props.conf.

0 Karma

krdo
Communicator

We moved DATETIME_CONFIG = NONE from the props.conf on the indexer to the forwarder props.conf and it works like a charm. Thanks for pointing that out!

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

PERFECT. Please upvote my answer and have a nice day.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Include a sample of some events, include your props.conf so we can comment properly. Thanks!

0 Karma

krdo
Communicator

I've updated my question (added props.conf and a screenshot showing resulting events).

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...