Solved: Re: Why is the Hunk timestamp column displaying he...

samardutta · ‎03-15-2017

Trying to query custom log in s3 in json parquet format through Hunk. But for some reason hunk is not displaying timestamp field "starttime" correctly.

{"ap_mac_address":"FF-FF-FF-FF-FF-FF","base_user_name":"00:25:4B:98:6C:BF","starttime":"��\t��\u0011\u0000\u0000�%\u0000","uniquehash":"6393fb43ffb35fa93b051f0b3ab8b3f4"...}

When I query the same file with other tools like hive/impala it display correct timestamp.

Are there any setting to display the timestamp correctly?

thanks.

kpawar_splunk · ‎04-06-2017

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

View solution in original post

kpawar_splunk · ‎04-06-2017

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

kpawar_splunk · ‎04-06-2017

What is the type of timestamp field(starttime). Is it int96, int64 or some other type.

samardutta · ‎04-06-2017

It is INT96 type

Why is the Hunk timestamp column displaying hex character?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms