All Apps and Add-ons

Splunk Add-on for Microsoft Azure: Why am I getting Start Date/Time error "Unknown string format"?

kmanson
Path Finder

Getting an error when trying to read generic Azure Storage table logs. Even tried with the Start Date/Time blank and still get the error below. Any Ideas?

05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" Traceback (most recent call last):
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 426, in <module>
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     do_run()
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 305, in do_run
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     dateTimeStart = dateutil.parser.parse(marker)
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 1008, in parse
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     return DEFAULTPARSER.parse(timestr, **kwargs)
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"   File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 395, in parse
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py"     raise ValueError("Unknown string format")
05-10-2016 18:49:42.195 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py" ValueError: Unknown string format
0 Karma
1 Solution

kmanson
Path Finder

From Jason Conger: Try clearing the checkpoint. To do this, stop the Splunk instance where the Azure add-on is running and type the following at the command line:

$SPLUNK_HOME/bin/splunk clean inputdata AzureStorageTable

This worked for me.

View solution in original post

0 Karma

kmanson
Path Finder

From Jason Conger: Try clearing the checkpoint. To do this, stop the Splunk instance where the Azure add-on is running and type the following at the command line:

$SPLUNK_HOME/bin/splunk clean inputdata AzureStorageTable

This worked for me.

0 Karma

jconger
Splunk Employee
Splunk Employee

A new version (1.2.1) is available that should address this issue.

0 Karma

kmanson
Path Finder

Why is it even getting to line 304 in AzureStorageTable.py? There is no marker but its logging that there is a marker.

if marker is not None:
                # If we have a marker, then we just pick up there.
                logging.debug("Marker found for table %s: %s" % (table_name, marker))
                dateTimeStart = dateutil.parser.parse(marker)

ValueError: Unknown string format
        raise ValueError("Unknown string format")
      File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 395, in parse
        return DEFAULTPARSER.parse(timestr, **kwargs)
      File "/opt/splunk/etc/apps/TA-Azure/bin/dateutil/parser.py", line 1008, in parse
        dateTimeStart = dateutil.parser.parse(marker)
      File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 307, in do_run
        do_run()
      File "/opt/splunk/etc/apps/TA-Azure/bin/AzureStorageTable.py", line 429, in <module>
    Traceback (most recent call last):
    AzureStorageTable:306 - Marker found for table WADWindowsEventLogsTable: None
    AzureStorageTable:285 - Overriding dateTimeStart. New value = '2016-05-06 00:00:00'
    AzureStorageTable:280 - dateTimeStart = '2016-05-10T12:31:03.393043'
    AzureStorageTable:402 - XML: 'table_name' -> 'WADWindowsEventLogsTable'
    AzureStorageTable:398 - XML: found param 'table_name'
    AzureStorageTable:402 - XML: 'storage_account' -> 'REDACTED'
    AzureStorageTable:398 - XML: found param 'storage_account'
    AzureStorageTable:402 - XML: 'sourcetype' -> 'azure:storage:table'
    AzureStorageTable:398 - XML: found param 'sourcetype'
    AzureStorageTable:402 - XML: 'select_string' -> 'RawXml,Timestamp'
    AzureStorageTable:398 - XML: found param 'select_string'
    AzureStorageTable:402 - XML: 'pollingInterval' -> '60'
    AzureStorageTable:398 - XML: found param 'pollingInterval'
    AzureStorageTable:402 - XML: 'limit' -> '1000'
    AzureStorageTable:398 - XML: found param 'limit'
    AzureStorageTable:402 - XML: 'index' -> 'wineventlog'
    AzureStorageTable:398 - XML: found param 'index'
    AzureStorageTable:402 - XML: 'host' -> 'REDACTED'
    AzureStorageTable:398 - XML: found param 'host'
    AzureStorageTable:402 - XML: 'dateTimeStart' -> '2016-05-06'
    AzureStorageTable:398 - XML: found param 'dateTimeStart'
    AzureStorageTable:402 - XML: 'dateTimeColumn' -> 'Timestamp'
    AzureStorageTable:398 - XML: found param 'dateTimeColumn'
    AzureStorageTable:402 - XML: 'access_key' -> 'REDACTED'
    AzureStorageTable:398 - XML: found param 'access_key'
    AzureStorageTable:392 - XML: found stanza AzureStorageTable://REDACTED
    AzureStorageTable:387 - XML: found configuration
0 Karma

kmanson
Path Finder

Humm, still having the same errors. Whats the correct format for the date? I tried blank and 20160509T191536Z.

0 Karma

jconger
Splunk Employee
Splunk Employee

No date should work. But, 2016-05-09 should work as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...