Variable itsi_first_event_time including a comma

raguilarvt · ‎05-03-2020

When checking for errors at the platform I started noticing error events in the _internal log:

2020-05-04 02:08:56,972 ERROR [itsi_re(reId=V26C,reMode=RealTime)] [main] TaskManager:604 - FunctionName=ProcessSplunkSearchJobResults, Status=Failed, ErrorMessage="For input string: "1588515619,432""

Somehow the input timestamp has a comma instead of a dot. Also Episode Review is showing "Invalid date" for the initial date.

I traced down the first search and it was itsi_event_grouping using the itsi_event_management_group_index_with_close_events macro. This macro brings the itsi_first_event_time variable, which has the incorrect timestamp, including a comma instead of a dot: 1588515619,432.

As a quick fix for the macro I appended a function that replaces comma to a dot, but it hasn't changed the Episode Review dashboard 'invalid date' message.

In the spanish number format comma is used for decimals instead of a dot, it might be related somehow, because i'm using those locales in linux.

> LANG=es_CL.UTF-8
> LC_CTYPE="es_CL.UTF-8"
> LC_NUMERIC="es_CL.UTF-8"
> LC_TIME="es_CL.UTF-8"
> LC_COLLATE="es_CL.UTF-8"
> LC_MONETARY="es_CL.UTF-8"
> LC_MESSAGES="es_CL.UTF-8"
> LC_PAPER="es_CL.UTF-8"
> LC_NAME="es_CL.UTF-8"
> LC_ADDRESS="es_CL.UTF-8"
> LC_TELEPHONE="es_CL.UTF-8"
> LC_MEASUREMENT="es_CL.UTF-8"
> LC_IDENTIFICATION="es_CL.UTF-8"

Any help to resolve this issue is greatly appreciated!

raguilarvt · ‎05-15-2020

Update: Changing the locale to en_US seems to have fixed the issue.

Variable itsi_first_event_time including a comma

configuration

troubleshooting

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!