Getting Data In

Time stamp issue with collectd?

daniel333
Builder

All,

I am receiving the following error in Splunk.

08-07-2019 17:56:59.597 +0000 WARN  DateParserVerbose - A possible timestamp match (Fri Feb 11 02:54:04 2011) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=http:collectd|host=myhost.mydomain.com|linux:collectd:http:metrics|

Here is my config:

#collectd.conf
LoadPlugin write_http
<Plugin write_http>
  <Node "node-http-1">
    URL "https://localhost:8088/services/collector/raw?channel=AAAAAAA-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Header "Authorization: Splunk AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Format "JSON"
    Metrics true
    StoreRates true
    VerifyPeer false
  </Node>
</Plugin>

<Plugin cpu>
   ReportByCpu true
   ReportByState true
   ValuesPercentage true
</Plugin>

<Plugin memory>
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin swap>
        ReportByDevice true
        ReportBytes true
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin vmem>
        Verbose false
</Plugin>

<Plugin df>
#       Device "/dev/hda1"
#       Device "192.168.0.2:/mnt/nfs"
#       MountPoint "/home"
#       FSType "ext3"
        ReportByDevice true
#       ReportInodes false
#       ValuesAbsolute true
        ValuesPercentage true
</Plugin>


<Plugin load>
        ReportRelative true
</Plugin>


<Plugin processes>
         ProcessMatch "all" "(.*)"
</Plugin>

Here is my inputs.conf

[http://collectd]
  disabled = 0
  index = collectd
  indexes = collectd
  sourcetype = linux:collectd:http:metrics
  token = AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA

and here is my props.conf

# props.conf
[linux:collectd:http:metrics]
  METRICS_PROTOCOL = COLLECTD_HTTP

Any ideas?

0 Karma

jacobpevans
Motivator

What does the data look like?

You can either use: DATETIME_CONFIG = CURRENT to ignore timestamps in the data and use the current time (not ideal when possible) or use a combination of these to properly parse the timestamp: MAX_TIMESTAMP_LOOKAHEAD = <integer>, TIME_PREFIX = <regular expression>, TIME_FORMAT = <strptime-style format>

If you really have an event from 8 years ago, you need to increase MAX_DAYS_AGO = <integer>

https://docs.splunk.com/Documentation/Splunk/latest/Admin/PropsConf

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

daniel333
Builder

How can I see the raw structure of the collectd metric to populate these fields?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...