Getting Data In

Why is the Hunk timestamp column displaying hex character?

samardutta
Engager

Trying to query custom log in s3 in json parquet format through Hunk. But for some reason hunk is not displaying timestamp field "starttime" correctly.

{"ap_mac_address":"FF-FF-FF-FF-FF-FF","base_user_name":"00:25:4B:98:6C:BF","starttime":"��\t��\u0011\u0000\u0000�%\u0000","uniquehash":"6393fb43ffb35fa93b051f0b3ab8b3f4"...}

When I query the same file with other tools like hive/impala it display correct timestamp.

Are there any setting to display the timestamp correctly?

thanks.

0 Karma
1 Solution

kpawar_splunk
Splunk Employee
Splunk Employee

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

View solution in original post

kpawar_splunk
Splunk Employee
Splunk Employee

INT96 type is deprecated by parquet.
Official link here : https://issues.apache.org/jira/browse/PARQUET-323
Hunk currently does not support int96 type.
You can follow recommendation in the link (https://issues.apache.org/jira/browse/PARQUET-323) to replace int96 with some other type.

kpawar_splunk
Splunk Employee
Splunk Employee

What is the type of timestamp field(starttime). Is it int96, int64 or some other type.

0 Karma

samardutta
Engager

It is INT96 type

0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...