All Apps and Add-ons

Why am I getting DateParserVerbose warnings although DATETIME_CONFIG is set to NONE?

krdo
Communicator

Hi,

I'm forwarding CSV files to Splunk. The timestamp for each event in a file should be set to the file's modtime, therefore I've set DATETIME_CONFIG = NONE for the sourcetype in the props.conf on the indexer. This seems to work, but I'm getting lots of the following warnings:

WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sat Apr 20 02:39:10 2013). Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-31-Values.amf|host::MY_HOST|Application Metrics|112033
WARN DateParserVerbose - A possible timestamp match (Mon Sep 24 17:04:52 2007) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-30-Values.amf|host::MY_HOST|Application Metrics|111934

(131364 events produce 1694 warnings)

Why is Splunk trying to find/parse a timestamp? I thought DATETIME_CONFIG = NONE disables the date parser? Is it possible to disable the date parser (for a specific sourcetype)?

Issue occurs on a distributed system (6.4.3) and on a standalone Splunk instance (6.5.0).

EDIT

The props.conf on the forwarder:

###############################################################################
[Application Metrics]
###############################################################################

category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true

# Parsing Phase ###############################################################

CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
FIELD_HEADER_REGEX = ^\s*[kK]ey\s*,
PREAMBLE_REGEX = ^\s*#

props.conf on the indexer:

###############################################################################
[Application Metrics]
###############################################################################

category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true

# Parsing Phase ###############################################################

DATETIME_CONFIG = NONE

Events around the time at which the warnings are logged:

alt text

0 Karma
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions

View solution in original post

dmaislin_splunk
Splunk Employee
Splunk Employee

Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions

krdo
Communicator

Thanks for the reply,
I'll try that. Should I change the props.conf on the indexer as well?
Does DATETIME_CONFIG even influence the forwarder's behavior? Looking at http://wiki.splunk.com/Community:HowIndexingWorks it seems like it is only used by the indexer.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

You can remove that on the indexer as indexed extractions are done on the forwarder props.conf.

0 Karma

krdo
Communicator

We moved DATETIME_CONFIG = NONE from the props.conf on the indexer to the forwarder props.conf and it works like a charm. Thanks for pointing that out!

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

PERFECT. Please upvote my answer and have a nice day.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Include a sample of some events, include your props.conf so we can comment properly. Thanks!

0 Karma

krdo
Communicator

I've updated my question (added props.conf and a screenshot showing resulting events).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...