Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

nullQueue and messages about problems with timestamp extraction

NoSpaces
Communicator
‎01-31-2024 05:12 AM

Hello to everyone!
One of the source types contains messages with no timestamp

 

<172>hostname: -Traceback:  0x138fc51 0x13928fa 0x1399b28 0x1327c33 0x3ba6c07dff 0x7fba45b0339d

 


To resolve this problem, I created a transform rule that successfully eliminated this "junk" from index

 

[wlc_syslog_rt0]
REGEX = ^<\d+>.*?:\s-Traceback:\s+
DEST_KEY = queue
FORMAT = nullQueue

 


But after it, I still have messages that indicate timestamp extraction failed

 

01-31-2024 15:08:17.539 +0300 WARN  DateParserVerbose [17276 merging_0] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (20) characters of event. Defaulting to timestamp of previous event (Wed Jan 31 15:08:05 2024). Context: source=udp:1100|host=172.22.0.11|wlc_syslog|\r\n				566 similar messages suppressed.  First occurred at: Wed Jan 31 15:03:13 2024

 

 

All events from this sourcetype look like this:

 

<172>hostname: *spamApTask0: Jan 31 12:58:47.692: %LWAPP-4-SIG_INFO1: [PA]spam_lrad.c:56582 Signature information; AP 00:57:d2:86:c0:30, alarm ON, standard sig Auth flood, track per-Macprecedence 5, hits 300, slot 0, channel 1, most offending MAC 54:14:f3:c8:a1:b3

 

 

Before asking, I tried to find events without a timestamp by using regex and cluster commands but didn't find anything

So, is it normal behavior, and splunk indicates timestamp absence before moving to nullQueue or did I do something wrong?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎01-31-2024 08:59 AM

@NoSpaces - That could be true because Splunk applies Timestamp Parsing before Transforms (nullQueue).


I hope this helps to understand why you are seeing the log. Please upvote and accept if this helps and resolves your query!!!

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2024 10:25 AM

You won't find events without a timestamp because Splunk always stores every event with a timestamp.  If the event does not come with a timestamp or if the timestamp is invalid then Splunk will use the timestamp from the previous event.

The timestamp warning cited does not apply to same sourcetype as the nullQueue transform.  The warning is for wlc_syslog and the transform is for wlc_syslog_rt0.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

NoSpaces
Communicator
‎01-31-2024 10:46 PM

I can find events without timestamps by using regex
It is not about the _time field but about the existence of "time" at the event
Apparanly, my first explanation is not good enough 😃

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:22 AM

See the Masa diagrams - https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

Timestamp extraction is one of the very first steps in event processing. So even if you later decide to drop (send to nullQueue) some events, that will be done way later in the pipeline.

0 Karma
Reply
Solved! Jump to solution

NoSpaces
Communicator
‎01-31-2024 10:48 PM

Thank you for the link to the diagram

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎01-31-2024 08:59 AM

@NoSpaces - That could be true because Splunk applies Timestamp Parsing before Transforms (nullQueue).


I hope this helps to understand why you are seeing the log. Please upvote and accept if this helps and resolves your query!!!

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...