Solved: Re: Why is the Hunk timestamp column displaying he...

samardutta · ‎03-15-2017

Trying to query custom log in s3 in json parquet format through Hunk. But for some reason hunk is not displaying timestamp field "starttime" correctly.

{"ap_mac_address":"FF-FF-FF-FF-FF-FF","base_user_name":"00:25:4B:98:6C:BF","starttime":"��\t��\u0011\u0000\u0000�%\u0000","uniquehash":"6393fb43ffb35fa93b051f0b3ab8b3f4"...}

When I query the same file with other tools like hive/impala it display correct timestamp.

Are there any setting to display the timestamp correctly?

thanks.

kpawar_splunk · ‎04-06-2017

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

View solution in original post

kpawar_splunk · ‎04-06-2017

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

kpawar_splunk · ‎04-06-2017

What is the type of timestamp field(starttime). Is it int96, int64 or some other type.

samardutta · ‎04-06-2017

It is INT96 type

Why is the Hunk timestamp column displaying hex character?

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...