Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Variable itsi_first_event_time including a comma

raguilarvt
New Member
‎05-03-2020 11:40 PM

When checking for errors at the platform I started noticing error events in the _internal log:

2020-05-04 02:08:56,972 ERROR [itsi_re(reId=V26C,reMode=RealTime)] [main] TaskManager:604 - FunctionName=ProcessSplunkSearchJobResults, Status=Failed, ErrorMessage="For input string: "1588515619,432""

Somehow the input timestamp has a comma instead of a dot. Also Episode Review is showing "Invalid date" for the initial date.

alt text

I traced down the first search and it was itsi_event_grouping using the itsi_event_management_group_index_with_close_events macro. This macro brings the itsi_first_event_time variable, which has the incorrect timestamp, including a comma instead of a dot: 1588515619,432.

As a quick fix for the macro I appended a function that replaces comma to a dot, but it hasn't changed the Episode Review dashboard 'invalid date' message.

In the spanish number format comma is used for decimals instead of a dot, it might be related somehow, because i'm using those locales in linux.

> LANG=es_CL.UTF-8
> LC_CTYPE="es_CL.UTF-8"
> LC_NUMERIC="es_CL.UTF-8"
> LC_TIME="es_CL.UTF-8"
> LC_COLLATE="es_CL.UTF-8"
> LC_MONETARY="es_CL.UTF-8"
> LC_MESSAGES="es_CL.UTF-8"
> LC_PAPER="es_CL.UTF-8"
> LC_NAME="es_CL.UTF-8"
> LC_ADDRESS="es_CL.UTF-8"
> LC_TELEPHONE="es_CL.UTF-8"
> LC_MEASUREMENT="es_CL.UTF-8"
> LC_IDENTIFICATION="es_CL.UTF-8"

Any help to resolve this issue is greatly appreciated!

Labels (2)
Preview file
20 KB
0 Karma
Reply

raguilarvt
New Member
‎05-15-2020 07:54 AM

Update: Changing the locale to en_US seems to have fixed the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...