Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time stamp issue with collectd?

daniel333
Builder
‎08-07-2019 01:23 PM

All,

I am receiving the following error in Splunk. 

08-07-2019 17:56:59.597 +0000 WARN  DateParserVerbose - A possible timestamp match (Fri Feb 11 02:54:04 2011) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=http:collectd|host=myhost.mydomain.com|linux:collectd:http:metrics|

Here is my config:

#collectd.conf
LoadPlugin write_http
<Plugin write_http>
  <Node "node-http-1">
    URL "https://localhost:8088/services/collector/raw?channel=AAAAAAA-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Header "Authorization: Splunk AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA"
    Format "JSON"
    Metrics true
    StoreRates true
    VerifyPeer false
  </Node>
</Plugin>

<Plugin cpu>
   ReportByCpu true
   ReportByState true
   ValuesPercentage true
</Plugin>

<Plugin memory>
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin swap>
        ReportByDevice true
        ReportBytes true
        ValuesAbsolute true
        ValuesPercentage true
</Plugin>

<Plugin vmem>
        Verbose false
</Plugin>

<Plugin df>
#       Device "/dev/hda1"
#       Device "192.168.0.2:/mnt/nfs"
#       MountPoint "/home"
#       FSType "ext3"
        ReportByDevice true
#       ReportInodes false
#       ValuesAbsolute true
        ValuesPercentage true
</Plugin>


<Plugin load>
        ReportRelative true
</Plugin>


<Plugin processes>
         ProcessMatch "all" "(.*)"
</Plugin>

Here is my inputs.conf

[http://collectd]
  disabled = 0
  index = collectd
  indexes = collectd
  sourcetype = linux:collectd:http:metrics
  token = AAAAAAAA-abcd-abcd-abcd-AAAAAAAAAAAAAAAAA

and here is my props.conf

# props.conf
[linux:collectd:http:metrics]
  METRICS_PROTOCOL = COLLECTD_HTTP

Any ideas?

0 Karma
Reply

jacobpevans
Motivator
‎08-07-2019 02:42 PM

What does the data look like?

You can either use: DATETIME_CONFIG = CURRENT to ignore timestamps in the data and use the current time (not ideal when possible) or use a combination of these to properly parse the timestamp: MAX_TIMESTAMP_LOOKAHEAD = <integer>, TIME_PREFIX = <regular expression>, TIME_FORMAT = <strptime-style format>

If you really have an event from 8 years ago, you need to increase MAX_DAYS_AGO = <integer>

https://docs.splunk.com/Documentation/Splunk/latest/Admin/PropsConf

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

daniel333
Builder
‎08-07-2019 04:28 PM

How can I see the raw structure of the collectd metric to populate these fields?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...