Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Last indexed event is in the future

r_devos
Explorer
‎05-15-2013 08:49 AM

I've noticed that the last indexed event in my Splunk instance is set to 19 Jan 2038.
I have tried to find this event with the following search query:
host=* | head 5. But this search just returns the latest events of today, not the ones of the year 2038. Searching with a custom time didn't work either: Splunk incorrectly states that the end date is before the start date when you try to search in the year 2038. Searching with the keywords latest and earliest also didn't find this event.

So my question is: how do I find this event and how do I get rid of it? (I would include screen shots but it doesn't let me because my karma is too low)

Tags (3)
0 Karma
Reply

andreasz
Path Finder
‎05-16-2013 04:59 AM

I think your metadata are corrupt.

You can see the corrupted metadata with the following statement:

| metadata type=sourcetypes | stats max(lastTime) as max | eval max=strftime(max,"%c")

max

Tue Jan 19 04:14:07 2038

Here you can find a description how to check and repair Metadata:
http://wiki.splunk.com/Check_and_Repair_Metadata

Reply

andreasz
Path Finder
‎05-16-2013 07:46 AM

sorry, I forgot to mention, that you have to set the timeline to: Real time -> All Time (real time)
Than you should see the result

0 Karma
Reply

r_devos
Explorer
‎05-16-2013 07:38 AM

Thanks for your answer. I tried the search you mentioned but it returned the latest event of today, not the one of 2038. (I also tried setting a custom time, but this didn't help either).
To make matters worse, after trying to repair the metadata, Splunkd refuses to start again (Splunkweb starts just fine).
Fortunately this was just a test set-up, I'll start again from scratch and I just hope this problem doesn't return.

0 Karma
Reply

r_devos
Explorer
‎05-16-2013 01:41 AM

Thank you for your answers so far, unfortunately I still have not found the event from January 2038.
I've tried with 'latest' but it didn't show any events for the year 2038.
When I tried with earliest=+1d I got the following error message "Failed to start search on peer '...'."
Splunk is running on Windows Server 2008 R2 (x64), so the UNIX time "ending" on 19 Jan 2038 is probably not the root cause. I have however one Linux server sending event data to Splunk, so maybe that Linux server sent an event with a corrupt time stamp...

0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-15-2013 01:26 PM

host=* earliest=+1d

will let you find events from the future, so-to-speak.

0 Karma
Reply

rgcurry
Contributor
‎05-15-2013 11:26 AM

The problem with year 2038 may be due to UNIX Epoch time if your Splunk instance is running on a 32-bit UNIX system. Note the following:

"At 03:14:08 UTC on 19 January 2038, 32-bit versions of the Unix time stamp will cease to work, as it will overflow the largest value that can be held in a signed 32-bit number. ..."

Retrieved May 15, 2013 from http://en.wikipedia.org/wiki/Unix_time.

Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-15-2013 09:01 AM

Sounds like a timestamping format issue. Can you find the event by doing this: 'latest=26y' or is that what you tried already?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...