Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can some one explain what are aggregation issues?

snallam123
Path Finder
‎03-13-2020 09:15 PM

we on-boarded an application recently, Now we are seeing there are 100K aggregation issues(Log level= WARN) and 30k timestamp issues(Log Level=WARN) yesterday from one source, we are monitoring that source from last 10 days. we have similar events and formatting.
The maximum number of events coming from that source is not more than 5k per day
Do i need to ignore these Warnings? What will cause these issues? will it affect our environment? I don't know where to start looking from.. Can some one help!

Thank you for support Splunkers!!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2020 06:04 AM

The aggregator message is caused by an event that is longer than 256 lines.
The timestamp message is caused by events that do not contain a timestamp in the first 128 characters.
Both messages are caused by incorrect (or missing) props.conf settings for the sourcetype. Verify there is a [sourcetype_name] stanza in one of your props.conf files and that the settings are correct for the data in that sourcetype.
If you would like help with the settings, please share some log data.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2020 06:04 AM

The aggregator message is caused by an event that is longer than 256 lines.
The timestamp message is caused by events that do not contain a timestamp in the first 128 characters.
Both messages are caused by incorrect (or missing) props.conf settings for the sourcetype. Verify there is a [sourcetype_name] stanza in one of your props.conf files and that the settings are correct for the data in that sourcetype.
If you would like help with the settings, please share some log data.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

snallam123
Path Finder
‎03-16-2020 12:21 AM

Thanks a lot @richgalloway for the answer, For these logs there is no props, We need to define based on log, Can you please clarify these
Does these issues really affect indexing?
Does it impacts any performance or increase queues?
What might be the impact from these issues.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2020 05:14 AM

Yes, these issues really affect indexing. Events may be combined or split or truncated unpredictably. Events without a timestamp will be assigned a timestamp that may not accurately reflect when the event occurred. Your search results may be unreliable.
There is a minor performance degradation. Specifying props for a sourcetype means Splunk does not have to guess about what props to use, which improves performance. Every sourcetype you ingest should have props specified.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-14-2020 08:12 AM

Please share the log messages.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

snallam123
Path Finder
‎03-14-2020 05:11 PM

Sample log:
Aggregation sample logs:
03-14-2020 20:07:27.829 -0400 WARN AggregatorMiningProcessor - Breaking event because limit of 256 has been exceeded - data_source="SOURCE_NAME", data_host="Host_name", data_sourcetype="sourcetype_name"

Timestamp parsing issues:
03-14-2020 20:09:24.832 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Mar 4 19:09:40 2020).

All Aggregation/timestamp parsing issues are giving us same logs as above.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...