All Apps and Add-ons

Why is TA_docker_simple working in one site but not the other site?

ChrisW-TX
Loves-to-Learn

Simple setup, two different sites with a single clustered Indexer in each, a local Heavy Forwarder that is also the deployment server for the UF's, and a SH in each site.

I've deployed the TA_docker_simple app in both sites, installed on both HF's and the intended docker servers at each site.  Works great in one site but I get no data indexed in the other.  All UF's send in the data from the .sh scripts that the app contains (I can see event counts in their metrics.log) but on the problem site HF, I'm seeing messages like this:

06-27-2022 21:00:50.057 +0000 WARN DateParserVerbose - Accepted time (Fri Apr 1 18:31:29 2022) is suspiciously far away from the previous event's time (Fri Apr 1 19:46:38 2022), but still accepted because it was extracted by the same pattern. Context: source=docker_simple_ps|host=XXXXXX|docker:ps|6581

Which looks like it's trying to use a string date that is in the script output but isn't the timestamp (it's the container creation timestamp). The actual timestamp is an epoch integer at the beginning of each event.  Even if it were getting imported with the invalid timestamps I would see the data with a realtime search but I see nothing coming in.  I'm not sure how to resolve this.  Both sites are using the same copy of the app on the HF (minus the inputs.conf) and on the UFs.   

It works perfectly in one site but not the other.  I've used btool to verify the props and transforms on the HF's are exactly the same.  It's probably something obvious but I can't figure this one out.

Labels (3)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...