Events are truncating for some messages

ramprakash · ‎04-02-2020

Hi All,

I have some of the messages being truncated in Splunk though all other similar messages are parsing perfectly. There is no error of Truncation in the logs. Messages are of 400 lines/event.

Props.conf(Indexer)

TRUNCATE = 0
MAX_EVENTS = 1000

Splunkd.log(Indexer) Error-

04-02-2020 14:48:57.391 +0200 WARN DateParserVerbose - Time parsed (Sun Sep 23 12:09:23 2012) is too far away from the previous event's time
(Thu Apr 2 14:48:56 2020) to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE (604800) may be overly restrictive.

Context: source::/APPLICATIONS/WebSphere/Logs/xxx/xxxEndpointCLONE2/xxxxENDPOINT_Splunk-messages.log|host::xxxx|ip_messages_sourcetype|680577

04-02-2020 14:56:40.255 +0200 WARN DateParserVerbose - A possible timestamp match (Sun Sep 23 12:09:23 2012) is outside of the acceptable time window.
If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::/APPLICATIONS/WebSphere/Logs/rxxx/xxxxEndpointCLONE2/
xxxxENDPOINT_Splunk-messages.log|host::xxx|ip_messages_sourcetype|680623

04-02-2020 14:56:40.255 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 2 14:56:39 2020).
Context: source::/APPLICATIONS/WebSphere/Logs/xxx2xxx/xxxEndpointCLONE2/xxxxENDPOINT_Splunk-messages.log|host::xxxx|ip_messages_sourcetype|680623

Best Regards,

Events are truncating for some messages

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!