Hi,
I've noticed that none of the scripts in Splunk_TA_nix actually include a timestamp in their output. Mostly, this doesn't cause issues, but in a few cases, the timestamp that Splunk guesses is wildly wrong. In one case in particular, my indexers are unfortunately dead certain that one forwarder is forever stuck in time. Between 19:00 yesterday and 01:40 today, there are no events for the `netstat` source from this host. Then, at 01:40, there are currently 330 events and this number keeps growing.
For a bunch of other sources, such as `vmstat`, `lastlog` and `top`, the timestamps are really all over the place, for many hosts. The timestamps ar both in the future and the distant past. I can deal with the future, by ignoring it, deleting the events or setting `MAX_DAYS_HENCE`, but the past is a bit more difficult, since we do need to ingest a whole lot of historical data.
Any tips?
(I also question the wisdom of omitting the timestamp...)
↧