I am getting the following error in Splunk when sending an event from Stream:
04-20-2023 04:21:09.000 +0000 INFO IndexWriter [7972 indexerPipe] - idx=goat: found event timestamped=1681964469123 is out of range. Using 1680307200.
Here’s what _time looks like, in Stream, when viewing the data:
{
“_raw”: “”,
“_time”: 1681964469123,
“cribl_breaker”: “”,
“index”: “”,
“source”: “”,
“sourcetype”: “”,
“cribl_pipe”: “”
}
Best answer by Jeremy Prescott
In my experience, Splunk isnt a fan of 13 digit epoch timestamps which look like ** 1681964469123**, and prefers something like ** 1681964469.123**.
You could create an Eval which divides _time by 1000:
Which should resolve the issue.
In my experience, Splunk isnt a fan of 13 digit epoch timestamps which look like ** 1681964469123**, and prefers something like ** 1681964469.123**.
You could create an Eval which divides _time by 1000:
Which should resolve the issue.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.