Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time stamp issue with collectd?

daniel333
Builder
‎08-07-2019 01:23 PM

All,

I am receiving the following error in Splunk. 

08-07-2019 17:56:59.597 +0000 WARN  DateParserVerbose - A possible timestamp match (Fri Feb 11 02:54:04 2011) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=http:collectd|host=myhost.mydomain.com|linux:collectd:http:metrics|

Here is my config:

#collectd.conf
LoadPlugin write_http
<Plugin write_http>
  <Node "node-http-1">
    URL "https://localhost:8088/services/collector/raw?channel=AAAAAAA-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Header "Authorization: Splunk AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Format "JSON"
    Metrics true
    StoreRates true
    VerifyPeer false
  </Node>
</Plugin>

<Plugin cpu>
   ReportByCpu true
   ReportByState true
   ValuesPercentage true
</Plugin>

<Plugin memory>
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin swap>
        ReportByDevice true
        ReportBytes true
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin vmem>
        Verbose false
</Plugin>

<Plugin df>
#       Device "/dev/hda1"
#       Device "192.168.0.2:/mnt/nfs"
#       MountPoint "/home"
#       FSType "ext3"
        ReportByDevice true
#       ReportInodes false
#       ValuesAbsolute true
        ValuesPercentage true
</Plugin>


<Plugin load>
        ReportRelative true
</Plugin>


<Plugin processes>
         ProcessMatch "all" "(.*)"
</Plugin>

Here is my inputs.conf

[http://collectd]
  disabled = 0
  index = collectd
  indexes = collectd
  sourcetype = linux:collectd:http:metrics
  token = AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA

and here is my props.conf

# props.conf
[linux:collectd:http:metrics]
  METRICS_PROTOCOL = COLLECTD_HTTP

Any ideas?

0 Karma
Reply

jacobpevans
Motivator
‎08-07-2019 02:42 PM

What does the data look like?

You can either use: DATETIME_CONFIG = CURRENT to ignore timestamps in the data and use the current time (not ideal when possible) or use a combination of these to properly parse the timestamp: MAX_TIMESTAMP_LOOKAHEAD = <integer>, TIME_PREFIX = <regular expression>, TIME_FORMAT = <strptime-style format>

If you really have an event from 8 years ago, you need to increase MAX_DAYS_AGO = <integer>

https://docs.splunk.com/Documentation/Splunk/latest/Admin/PropsConf

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

daniel333
Builder
‎08-07-2019 04:28 PM

How can I see the raw structure of the collectd metric to populate these fields?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...