Solved: Re: Why is the Hunk timestamp column displaying he...

samardutta · ‎03-15-2017

Trying to query custom log in s3 in json parquet format through Hunk. But for some reason hunk is not displaying timestamp field "starttime" correctly.

{"ap_mac_address":"FF-FF-FF-FF-FF-FF","base_user_name":"00:25:4B:98:6C:BF","starttime":"��\t��\u0011\u0000\u0000�%\u0000","uniquehash":"6393fb43ffb35fa93b051f0b3ab8b3f4"...}

When I query the same file with other tools like hive/impala it display correct timestamp.

Are there any setting to display the timestamp correctly?

thanks.

kpawar_splunk · ‎04-06-2017

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

View solution in original post

kpawar_splunk · ‎04-06-2017

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

View solution in original post

kpawar_splunk · ‎04-06-2017

What is the type of timestamp field(starttime). Is it int96, int64 or some other type.

samardutta · ‎04-06-2017

It is INT96 type

Why is the Hunk timestamp column displaying hex character?

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >

Why is the Hunk timestamp column displaying hex character?

Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >