Splunk IT Service Intelligence

Variable itsi_first_event_time including a comma

raguilarvt
New Member

When checking for errors at the platform I started noticing error events in the _internal log:

2020-05-04 02:08:56,972 ERROR [itsi_re(reId=V26C,reMode=RealTime)] [main] TaskManager:604 - FunctionName=ProcessSplunkSearchJobResults, Status=Failed, ErrorMessage="For input string: "1588515619,432""

Somehow the input timestamp has a comma instead of a dot. Also Episode Review is showing "Invalid date" for the initial date.

alt text

I traced down the first search and it was itsi_event_grouping using the itsi_event_management_group_index_with_close_events macro. This macro brings the itsi_first_event_time variable, which has the incorrect timestamp, including a comma instead of a dot: 1588515619,432.

As a quick fix for the macro I appended a function that replaces comma to a dot, but it hasn't changed the Episode Review dashboard 'invalid date' message.

In the spanish number format comma is used for decimals instead of a dot, it might be related somehow, because i'm using those locales in linux.

> LANG=es_CL.UTF-8
> LC_CTYPE="es_CL.UTF-8"
> LC_NUMERIC="es_CL.UTF-8"
> LC_TIME="es_CL.UTF-8"
> LC_COLLATE="es_CL.UTF-8"
> LC_MONETARY="es_CL.UTF-8"
> LC_MESSAGES="es_CL.UTF-8"
> LC_PAPER="es_CL.UTF-8"
> LC_NAME="es_CL.UTF-8"
> LC_ADDRESS="es_CL.UTF-8"
> LC_TELEPHONE="es_CL.UTF-8"
> LC_MEASUREMENT="es_CL.UTF-8"
> LC_IDENTIFICATION="es_CL.UTF-8"

Any help to resolve this issue is greatly appreciated!

Labels (2)
0 Karma

raguilarvt
New Member

Update: Changing the locale to en_US seems to have fixed the issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...