All,
I am receiving the following error in Splunk.
08-07-2019 17:56:59.597 +0000 WARN DateParserVerbose - A possible timestamp match (Fri Feb 11 02:54:04 2011) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=http:collectd|host=myhost.mydomain.com|linux:collectd:http:metrics|
Here is my config:
#collectd.conf
LoadPlugin write_http
<Plugin write_http>
<Node "node-http-1">
URL "https://localhost:8088/services/collector/raw?channel=AAAAAAA-abcd-abcd-AAAAAAAAAAAAAAAAA"
Header "Authorization: Splunk AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA"
Format "JSON"
Metrics true
StoreRates true
VerifyPeer false
</Node>
</Plugin>
<Plugin cpu>
ReportByCpu true
ReportByState true
ValuesPercentage true
</Plugin>
<Plugin memory>
ValuesAbsolute true
ValuesPercentage true
</Plugin>
<Plugin swap>
ReportByDevice true
ReportBytes true
ValuesAbsolute true
ValuesPercentage true
</Plugin>
<Plugin vmem>
Verbose false
</Plugin>
<Plugin df>
# Device "/dev/hda1"
# Device "192.168.0.2:/mnt/nfs"
# MountPoint "/home"
# FSType "ext3"
ReportByDevice true
# ReportInodes false
# ValuesAbsolute true
ValuesPercentage true
</Plugin>
<Plugin load>
ReportRelative true
</Plugin>
<Plugin processes>
ProcessMatch "all" "(.*)"
</Plugin>
Here is my inputs.conf
[http://collectd]
disabled = 0
index = collectd
indexes = collectd
sourcetype = linux:collectd:http:metrics
token = AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA
and here is my props.conf
# props.conf
[linux:collectd:http:metrics]
METRICS_PROTOCOL = COLLECTD_HTTP
Any ideas?
What does the data look like?
You can either use: DATETIME_CONFIG = CURRENT
to ignore timestamps in the data and use the current time (not ideal when possible) or use a combination of these to properly parse the timestamp: MAX_TIMESTAMP_LOOKAHEAD = <integer>
, TIME_PREFIX = <regular expression>
, TIME_FORMAT = <strptime-style format>
If you really have an event from 8 years ago, you need to increase MAX_DAYS_AGO = <integer>
https://docs.splunk.com/Documentation/Splunk/latest/Admin/PropsConf
How can I see the raw structure of the collectd metric to populate these fields?