Splunk IT Service Intelligence

Variable itsi_first_event_time including a comma

raguilarvt
New Member

When checking for errors at the platform I started noticing error events in the _internal log:

2020-05-04 02:08:56,972 ERROR [itsi_re(reId=V26C,reMode=RealTime)] [main] TaskManager:604 - FunctionName=ProcessSplunkSearchJobResults, Status=Failed, ErrorMessage="For input string: "1588515619,432""

Somehow the input timestamp has a comma instead of a dot. Also Episode Review is showing "Invalid date" for the initial date.

alt text

I traced down the first search and it was itsi_event_grouping using the itsi_event_management_group_index_with_close_events macro. This macro brings the itsi_first_event_time variable, which has the incorrect timestamp, including a comma instead of a dot: 1588515619,432.

As a quick fix for the macro I appended a function that replaces comma to a dot, but it hasn't changed the Episode Review dashboard 'invalid date' message.

In the spanish number format comma is used for decimals instead of a dot, it might be related somehow, because i'm using those locales in linux.

> LANG=es_CL.UTF-8
> LC_CTYPE="es_CL.UTF-8"
> LC_NUMERIC="es_CL.UTF-8"
> LC_TIME="es_CL.UTF-8"
> LC_COLLATE="es_CL.UTF-8"
> LC_MONETARY="es_CL.UTF-8"
> LC_MESSAGES="es_CL.UTF-8"
> LC_PAPER="es_CL.UTF-8"
> LC_NAME="es_CL.UTF-8"
> LC_ADDRESS="es_CL.UTF-8"
> LC_TELEPHONE="es_CL.UTF-8"
> LC_MEASUREMENT="es_CL.UTF-8"
> LC_IDENTIFICATION="es_CL.UTF-8"

Any help to resolve this issue is greatly appreciated!

Labels (2)
0 Karma

raguilarvt
New Member

Update: Changing the locale to en_US seems to have fixed the issue.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>