So the reason for the observed error, only reported by the heavy forwarders, seems clear. The TA is not installed on the heavy forwarders.

I might be missing some dependency but I fail to see where this date would fit?

The HF complains about the incorrectly genereated dates as being "out of bounds", but the output from the script does not contain "year" or a reasonable "timestamp" (as the year is missing).

PRINTF='{printf "%-30s %-30.30s %-s\n", username, from, latest}'
if [ "$KERNEL" = "Linux" ] ; then
    CMD='last -iw'
    # shellcheck disable=SC2016
    FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
    # shellcheck disable=SC2016
    FORMAT='{username = $1; from = (NF==10) ? $3 : "<console>"; latest = $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3)}'

The incorrect years are not included in the indexed events, so it seems that there is little to gain by trying to "fix" this on the HF layer?

The set-up is Universal Forwarder (TA nix) --> Heavy Forwarder () --> Indexer () --> Search Head (TA nix). The documentations seems to indicate installing the plugin on HF as "optional" (Install the Splunk Add-on for Unix and Linux - Splunk Documentation)? The intention would not be "data collection" from the HF server and I don't see that this would necessarily fix the issue?

If these events from lastlog.sh should not contain years and do not contain a readable timestamp, then should this error not be automatically supressed by the HF?

The input produces... something. It doesn't have a reasonable date, at least not one which could be used as "current" timestamp. And the whole output of lastlog should be ingested as one event (the LINE_BREAKER is set to a never-matching pattern). That's why the DATETIME_CONFIG=current setting is in place - the event will always be indexed at the time it arrived at the indexer (or HF if there is one in the way).

Since you don't have the TA_nix installed on the HF, Splunk does two things by default:

1) Breaks the whole lastlog output into separate events on the default LINE_BREAKER (which means every line is treated as separate event)

2) Since it doesn't have proper settings for timestamp extraction (by default there aren't any), it tries to guess where and what the timestamp within the event is. And it guesses completely wrongly.

So yes, you should have the TA_nix (of course with inputs disabled if you don't need them there) installed on your HFs if they are in your ingestion path.

As a rule of thumb - index-time settings are applied on the first "heavy" component in event's path so if you're having UF1->UF2->HF1->HF2->idx, the event is being parsed on HF1. And there is where you need to install the addons for index-time operations.

Two caveats:

1) Ingest actions can happen after that.

2) If you use INDEXED_EXTRACTIONS, they happen immediately on the initial input component (so in our case - on UF1) and the data is sent downstream as parsed and not touched again before indexing (with the possible exception of ingest actions again).

You are of course welcome to post a feedback to the docs page. I do that fairly often if I find something explained not clearly enough or in not enough detail. 🙂 There's a little feedback form on the bottom of each docs page.

Checking the "host" details these complaints are all coming from the heavy forwarders, so I assumed this is where I should be checking.

Running the command on a heavy forwarder produced the following output:

/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml

 While on any search head or indexer the output is as you suggested:

/opt/splunk/etc/apps/Splunk_TA_nix/default/props.conf DATETIME_CONFIG = CURRENT

There is no '/etc/datetime.xml', however there is an '/opt/splunk/etc/datetime.xml' file. I have no idea of the configuration is reffering to a non-existing file or the built in Splunk one. I don't know if or why anyone would have modified this setting, or the consequences of doing such.

I'll do some reasearch on my own but any feedback and/or suggestions are more than welcome