Solved: Why am I getting DateParserVerbose warnings althou...

krdo · ‎09-30-2016

Hi,

I'm forwarding CSV files to Splunk. The timestamp for each event in a file should be set to the file's modtime, therefore I've set DATETIME_CONFIG = NONE for the sourcetype in the props.conf on the indexer. This seems to work, but I'm getting lots of the following warnings:

WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sat Apr 20 02:39:10 2013). Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-31-Values.amf|host::MY_HOST|Application Metrics|112033
WARN DateParserVerbose - A possible timestamp match (Mon Sep 24 17:04:52 2007) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-30-Values.amf|host::MY_HOST|Application Metrics|111934

(131364 events produce 1694 warnings)

Why is Splunk trying to find/parse a timestamp? I thought DATETIME_CONFIG = NONE disables the date parser? Is it possible to disable the date parser (for a specific sourcetype)?

Issue occurs on a distributed system (6.4.3) and on a standalone Splunk instance (6.5.0).

EDIT

The props.conf on the forwarder:

###############################################################################
[Application Metrics]
###############################################################################

category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true

# Parsing Phase ###############################################################

CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
FIELD_HEADER_REGEX = ^\s*[kK]ey\s*,
PREAMBLE_REGEX = ^\s*#

props.conf on the indexer:

###############################################################################
[Application Metrics]
###############################################################################

category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true

# Parsing Phase ###############################################################

DATETIME_CONFIG = NONE

Events around the time at which the warnings are logged:

dmaislin_splunk · ‎10-03-2016

Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions

View solution in original post

dmaislin_splunk · ‎10-03-2016

Try setting: DATETIME_CONFIG = CURRENT on the forwarder since you are using indexed_extractions

krdo · ‎10-03-2016

Thanks for the reply,
I'll try that. Should I change the props.conf on the indexer as well?
Does DATETIME_CONFIG even influence the forwarder's behavior? Looking at http://wiki.splunk.com/Community:HowIndexingWorks it seems like it is only used by the indexer.

dmaislin_splunk · ‎10-04-2016

You can remove that on the indexer as indexed extractions are done on the forwarder props.conf.

krdo · ‎10-05-2016

We moved DATETIME_CONFIG = NONE from the props.conf on the indexer to the forwarder props.conf and it works like a charm. Thanks for pointing that out!

dmaislin_splunk · ‎10-05-2016

PERFECT. Please upvote my answer and have a nice day.

dmaislin_splunk · ‎09-30-2016

Include a sample of some events, include your props.conf so we can comment properly. Thanks!

krdo · ‎10-02-2016

I've updated my question (added props.conf and a screenshot showing resulting events).

Why am I getting DateParserVerbose warnings although DATETIME_CONFIG is set to NONE?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor