Archive

Time stamp issue with collectd?

Builder

All,

I am receiving the following error in Splunk.

08-07-2019 17:56:59.597 +0000 WARN  DateParserVerbose - A possible timestamp match (Fri Feb 11 02:54:04 2011) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=http:collectd|host=myhost.mydomain.com|linux:collectd:http:metrics|

Here is my config:

#collectd.conf
LoadPlugin write_http
<Plugin write_http>
  <Node "node-http-1">
    URL "https://localhost:8088/services/collector/raw?channel=AAAAAAA-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Header "Authorization: Splunk AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Format "JSON"
    Metrics true
    StoreRates true
    VerifyPeer false
  </Node>
</Plugin>

<Plugin cpu>
   ReportByCpu true
   ReportByState true
   ValuesPercentage true
</Plugin>

<Plugin memory>
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin swap>
        ReportByDevice true
        ReportBytes true
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin vmem>
        Verbose false
</Plugin>

<Plugin df>
#       Device "/dev/hda1"
#       Device "192.168.0.2:/mnt/nfs"
#       MountPoint "/home"
#       FSType "ext3"
        ReportByDevice true
#       ReportInodes false
#       ValuesAbsolute true
        ValuesPercentage true
</Plugin>


<Plugin load>
        ReportRelative true
</Plugin>


<Plugin processes>
         ProcessMatch "all" "(.*)"
</Plugin>

Here is my inputs.conf

[http://collectd]
  disabled = 0
  index = collectd
  indexes = collectd
  sourcetype = linux:collectd:http:metrics
  token = AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA

and here is my props.conf

# props.conf
[linux:collectd:http:metrics]
  METRICS_PROTOCOL = COLLECTD_HTTP

Any ideas?

0 Karma

Motivator

What does the data look like?

You can either use: DATETIME_CONFIG = CURRENT to ignore timestamps in the data and use the current time (not ideal when possible) or use a combination of these to properly parse the timestamp: MAX_TIMESTAMP_LOOKAHEAD = <integer>, TIME_PREFIX = <regular expression>, TIME_FORMAT = <strptime-style format>

If you really have an event from 8 years ago, you need to increase MAX_DAYS_AGO = <integer>

https://docs.splunk.com/Documentation/Splunk/latest/Admin/PropsConf

Cheers,
Jacob
0 Karma

Builder

How can I see the raw structure of the collectd metric to populate these fields?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!