I'm running Splunk version 4.1.5, build 85165 on a Win2003 32-bit server with a dual-core CPU and 4GB RAM. I realize Win2003 32-bit is not recommended, but I'm guessing it might not be the root cause of this problem.
I have around 50 hosts sending syslog messages to it on UDP:514 and I realized that the server is not indexing around 50% of data with the right timestamp. There are arbitrary gaps of several minutes after which it starts indexing properly again.
Here are two samples of the tons of errors I'm seeing in splunkd.log. Interestingly, they all have the same incorrect parsed timestamp 'Sat Nov 27 00:02:19 2010'. What could possibly be causing this? I've compared the wireshark captures with messages that are indexed properly and I don't see any differences. It's making the server unusable for the monitoring I need it to do.
12-01-2010 19:44:42.449 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Sat Nov 27 00:02:19 2010) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE.
12-01-2010 19:44:42.449 WARN DateParserVerbose - Failed to parse timestamp for event. Context="source::udp:514|host::Splunk-Server|syslog|" Text="I:..."
... View more