Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

universal forwarder trying to parse the data

reggie_123
Explorer
‎09-28-2016 09:44 PM

I have a UF monitoring a couple of files on a AIX box.
The UF is forwarding the data to a HF, I verified this in outputs.conf.
There are no props.conf present for that input on the UF, only at the HF, and they are obviously not being honored.
For some strange reason, I see "Breaking event" and "DateParserVerbose" errors on the UF.
How come the parsing phase takes place on the UF and not only the forwarding of the data ? I didn't get this behavior on any of my other UFs.
This is not an indexed_extraction.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-29-2016 09:00 AM

The only data that will be parsed on an Universal or Lightweight forwarders (and all forwarders) will be the sourcetypes using INDEXED_EXTRACTIONS. that do tailing time structured data parsing.
usually : xml, json, IIS, etc ...

see http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata

Check your data format and sourcetype.
then if it is the case, you can prevent the errors by tuning your sourcetype parsing on the forwarder props.conf directly (like the MAX_EVENTS to raise to more than 256)

0 Karma
Reply

somesoni2
Revered Legend
‎09-28-2016 10:00 PM

Could you post some of the error samples that you see in UF? Also, when you say you're seeing those in UF, it means you see those in physical splunkd.log file on UF?

0 Karma
Reply

reggie_123
Explorer
‎09-28-2016 10:03 PM

Exactly, on the UF box, on it's splunkd log.
Examples:
"DateParserVerbose - Time parsed (Mon May 30 21:00:00 2016) is too far away from the previous event's time"
"AggregatorMiningProcessor - Breaking event because limit of 256 has been exceeded"
I expect to see such messages only on the HF

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...