Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Event-processing issues check in monitoring console consistently displays date_parsing_issues after upgrade to 7.1.6

bzsplunk54
New Member
‎03-23-2019 09:47 AM

When running the health check for the monitoring console I am consistently receiving event-processing issues (date_parsing_issues)
I have added a stanza to /opt/splunk/etc/system/local for the props.conf file and the errors are still persistent.

[default]
DEPTH_LIMIT = 100000
maxDist = 300
MAX_TIMESTAMP_LOOKAHEAD = 256
TRUNCATE = 99999999
MAX_EVENTS = 99999999
DATE_CONFIG = CURRENT

[cisco:ios]
DATETIME_CONFIG = CURRENT
TRANSFORMS-force_sourcetype_cisco_traceback = force_sourcetype_cisco_traceback
SHOULD_LINEMERGE=false
KV_MODE = none
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 99999999
MAX_EVENTS = 99999999

[cisco_syslog]
DATETIME_CONFIG = CURRENT
pulldown_type = 0
MAX_TIMESTAMP_LOOKAHEAD = 128
SHOULD_LINEMERGE = False

TIME_FORMAT = %b %d %H:%M:%S

TRANSFORMS = syslog-host
TRUNCATE = 99999999
MAX_EVENTS = 99999999
REPORT-syslog = syslog-extractions

any recommendations would be appreciated. thank you
this is an example of the syslog information with time stamp info

024044: Mar 23 11:24:08.831 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/6, changed state to down
024045: Mar 23 11:24:11.201 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/6, changed state to up

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-26-2019 02:56 AM

As per my comments on your question, you don't want to use TRUNCATE or DATE_CONFIG - certainly not in default, and not for these logs.
Try the following props settings - I encourage you to change the default section back to its defaults, but this could have implications if you have logs indexed with current time presently.

[default]
DEPTH_LIMIT = 100000
maxDist = 300
MAX_TIMESTAMP_LOOKAHEAD = 256
#TRUNCATE = 999999999
#MAX_EVENTS = 99999999
#DATE_CONFIG = CURRENT

[cisco:YOUR-ST]
#DATETIME_CONFIG = CURRENT
TRANSFORMS-force_sourcetype_cisco_traceback = force_sourcetype_cisco_traceback
SHOULD_LINEMERGE=false
KV_MODE = none
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX=^\d+\:\s
TIME_FORMAT=%b %d %H:%M:%S.%N3 %Z
MAX_TIMESTAMP_LOOKAHEAD=23
#TRUNCATE = 99999999
#MAX_EVENTS = 99999999
If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-26-2019 02:56 AM

As per my comments on your question, you don't want to use TRUNCATE or DATE_CONFIG - certainly not in default, and not for these logs.
Try the following props settings - I encourage you to change the default section back to its defaults, but this could have implications if you have logs indexed with current time presently.

[default]
DEPTH_LIMIT = 100000
maxDist = 300
MAX_TIMESTAMP_LOOKAHEAD = 256
#TRUNCATE = 999999999
#MAX_EVENTS = 99999999
#DATE_CONFIG = CURRENT

[cisco:YOUR-ST]
#DATETIME_CONFIG = CURRENT
TRANSFORMS-force_sourcetype_cisco_traceback = force_sourcetype_cisco_traceback
SHOULD_LINEMERGE=false
KV_MODE = none
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX=^\d+\:\s
TIME_FORMAT=%b %d %H:%M:%S.%N3 %Z
MAX_TIMESTAMP_LOOKAHEAD=23
#TRUNCATE = 99999999
#MAX_EVENTS = 99999999
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-26-2019 02:39 AM

Truncate=999999999 is a terrible idea. It means you could conceivably end up with events of ~100mb in Splunk (which would be very bad)
The default limit is 10,000 bytes - if you are receiving Truncation warnings at 10k you almost certainly have line breaking issues that setting Truncate higher will simply mask or make worse.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-26-2019 02:43 AM

DATE_CONFIG=CURRENT is also another terrible idea.
It tells Splunk to ignore the timestamps in your event logs, and instead 'approximate' the event time to that which your indexers processed the event. This will make correlating events in chronological difficult, especially if you have multiple indexers. The ONLY time (imho) you should use this is when you have logs which do not provide timestamp information - in these cases you first should kick your vendors/developers (hard) to introduce a time to their logs before using this setting.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

bzsplunk54
New Member
‎03-27-2019 02:07 PM

appreciate your input!

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...