Getting Data In

Events are truncating for some messages


Hi All,

I have some of the messages being truncated in Splunk though all other similar messages are parsing perfectly. There is no error of Truncation in the logs. Messages are of 400 lines/event.



Splunkd.log(Indexer) Error-

04-02-2020 14:48:57.391 +0200 WARN DateParserVerbose - Time parsed (Sun Sep 23 12:09:23 2012) is too far away from the previous event's time
(Thu Apr 2 14:48:56 2020) to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE (604800) may be overly restrictive.

Context: source::/APPLICATIONS/WebSphere/Logs/xxx/xxxEndpointCLONE2/xxxxENDPOINT_Splunk-messages.log|host::xxxx|ip_messages_sourcetype|680577

04-02-2020 14:56:40.255 +0200 WARN DateParserVerbose - A possible timestamp match (Sun Sep 23 12:09:23 2012) is outside of the acceptable time window.
If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::/APPLICATIONS/WebSphere/Logs/rxxx/xxxxEndpointCLONE2/

04-02-2020 14:56:40.255 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 2 14:56:39 2020).
Context: source::/APPLICATIONS/WebSphere/Logs/xxx2xxx/xxxEndpointCLONE2/xxxxENDPOINT_Splunk-messages.log|host::xxxx|ip_messages_sourcetype|680623

Best Regards,

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...