Hi,
I'm forwarding CSV files to Splunk. The timestamp for each event in a file should be set to the file's modtime, therefore I've set DATETIME_CONFIG = NONE
for the sourcetype in the props.conf on the indexer. This seems to work, but I'm getting lots of the following warnings:
WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sat Apr 20 02:39:10 2013). Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-31-Values.amf|host::MY_HOST|Application Metrics|112033
WARN DateParserVerbose - A possible timestamp match (Mon Sep 24 17:04:52 2007) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-30-Values.amf|host::MY_HOST|Application Metrics|111934
(131364 events produce 1694 warnings)
Why is Splunk trying to find/parse a timestamp? I thought DATETIME_CONFIG = NONE
disables the date parser? Is it possible to disable the date parser (for a specific sourcetype)?
Issue occurs on a distributed system (6.4.3) and on a standalone Splunk instance (6.5.0).
EDIT
The props.conf on the forwarder:
###############################################################################
[Application Metrics]
###############################################################################
category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true
# Parsing Phase ###############################################################
CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
FIELD_HEADER_REGEX = ^\s*[kK]ey\s*,
PREAMBLE_REGEX = ^\s*#
props.conf on the indexer:
###############################################################################
[Application Metrics]
###############################################################################
category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true
# Parsing Phase ###############################################################
DATETIME_CONFIG = NONE
Events around the time at which the warnings are logged:
Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions
Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions
Thanks for the reply,
I'll try that. Should I change the props.conf on the indexer as well?
Does DATETIME_CONFIG even influence the forwarder's behavior? Looking at http://wiki.splunk.com/Community:HowIndexingWorks it seems like it is only used by the indexer.
You can remove that on the indexer as indexed extractions are done on the forwarder props.conf.
We moved DATETIME_CONFIG = NONE
from the props.conf on the indexer to the forwarder props.conf and it works like a charm. Thanks for pointing that out!
PERFECT. Please upvote my answer and have a nice day.
Include a sample of some events, include your props.conf so we can comment properly. Thanks!
I've updated my question (added props.conf and a screenshot showing resulting events).