Splunk IT Service Intelligence

Variable itsi_first_event_time including a comma

New Member

When checking for errors at the platform I started noticing error events in the _internal log:

2020-05-04 02:08:56,972 ERROR [itsi_re(reId=V26C,reMode=RealTime)] [main] TaskManager:604 - FunctionName=ProcessSplunkSearchJobResults, Status=Failed, ErrorMessage="For input string: "1588515619,432""

Somehow the input timestamp has a comma instead of a dot. Also Episode Review is showing "Invalid date" for the initial date.

alt text

I traced down the first search and it was itsi_event_grouping using the itsi_event_management_group_index_with_close_events macro. This macro brings the itsi_first_event_time variable, which has the incorrect timestamp, including a comma instead of a dot: 1588515619,432.

As a quick fix for the macro I appended a function that replaces comma to a dot, but it hasn't changed the Episode Review dashboard 'invalid date' message.

In the spanish number format comma is used for decimals instead of a dot, it might be related somehow, because i'm using those locales in linux.

> LANG=es_CL.UTF-8
> LC_CTYPE="es_CL.UTF-8"
> LC_TIME="es_CL.UTF-8"
> LC_PAPER="es_CL.UTF-8"
> LC_NAME="es_CL.UTF-8"

Any help to resolve this issue is greatly appreciated!

Labels (2)
0 Karma

New Member

Update: Changing the locale to en_US seems to have fixed the issue.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...