Getting Data In

Time stamp issue with collectd?



I am receiving the following error in Splunk.

08-07-2019 17:56:59.597 +0000 WARN  DateParserVerbose - A possible timestamp match (Fri Feb 11 02:54:04 2011) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=http:collectd||linux:collectd:http:metrics|

Here is my config:

LoadPlugin write_http
<Plugin write_http>
  <Node "node-http-1">
    URL "https://localhost:8088/services/collector/raw?channel=AAAAAAA-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Header "Authorization: Splunk AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Format "JSON"
    Metrics true
    StoreRates true
    VerifyPeer false

<Plugin cpu>
   ReportByCpu true
   ReportByState true
   ValuesPercentage true

<Plugin memory>
        ValuesAbsolute true
        ValuesPercentage true

<Plugin swap>
        ReportByDevice true
        ReportBytes true
        ValuesAbsolute true
        ValuesPercentage true

<Plugin vmem>
        Verbose false

<Plugin df>
#       Device "/dev/hda1"
#       Device ""
#       MountPoint "/home"
#       FSType "ext3"
        ReportByDevice true
#       ReportInodes false
#       ValuesAbsolute true
        ValuesPercentage true

<Plugin load>
        ReportRelative true

<Plugin processes>
         ProcessMatch "all" "(.*)"

Here is my inputs.conf

  disabled = 0
  index = collectd
  indexes = collectd
  sourcetype = linux:collectd:http:metrics
  token = AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA

and here is my props.conf

# props.conf

Any ideas?

0 Karma


What does the data look like?

You can either use: DATETIME_CONFIG = CURRENT to ignore timestamps in the data and use the current time (not ideal when possible) or use a combination of these to properly parse the timestamp: MAX_TIMESTAMP_LOOKAHEAD = <integer>, TIME_PREFIX = <regular expression>, TIME_FORMAT = <strptime-style format>

If you really have an event from 8 years ago, you need to increase MAX_DAYS_AGO = <integer>


If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma


How can I see the raw structure of the collectd metric to populate these fields?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...