Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: Logging 5.7.6
Affects Version/s: Logging 5.7.4
Component/s: Log Collection
Labels:
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
NEW
Release Note Text:

Hide
Before the update, there were a lot of warning messages "Timestamp was not found." during sending logs to Splunk.
With this changes, the update overrides the name of the log field used to retrieve the timestamp to send to Splunk HEC without warning.

Show
Before the update, there were a lot of warning messages "Timestamp was not found." during sending logs to Splunk. With this changes, the update overrides the name of the log field used to retrieve the timestamp to send to Splunk HEC without warning.
Release Note Type:
Bug Fix
Risk Impact Level:
Low
Steps to Reproduce:
Hide

1) Deploy RHOL 5.7.4 version with Vector as collector.

2) Deploy a CLF instance with Splunk as output:

outputs: - name: splunk splunk: {} type: splunk url: http://test:8088 pipelines: - inputRefs: - application name: forwarder outputRefs: - splunk

3) Check Vector logs:

WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Timestamp was not found. Deferring to Splunk to set the timestamp. internal_log_rate_limit=true WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Internal log [Timestam was not found. Deferring to Splunk to set the timestamp.] is being rate limited.
Show
1) Deploy RHOL 5.7.4 version with Vector as collector. 2) Deploy a CLF instance with Splunk as output: outputs: - name: splunk splunk: {} type: splunk url: http: //test:8088 pipelines: - inputRefs: - application name: forwarder outputRefs: - splunk 3) Check Vector logs: WARN sink{component_kind= "sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Timestamp was not found. Deferring to Splunk to set the timestamp. internal_log_rate_limit= true WARN sink{component_kind= "sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Internal log [Timestam was not found. Deferring to Splunk to set the timestamp.] is being rate limited.

Sprint:
Log Collection - Sprint 240, Log Collection - Sprint 241
Severity:
Low
Risk Probability:
Low (0%-49%) - [It is unlikely this will become an issue]

SFDC Cases Links:
SFDC Cases Counter:

Description

Description of problem:

After deployed a CLF instance with Splunk as output, always we can observe some warning logs in collector pods about the Timestamp, it seems an inconsistence between the Splunk/Vector parameters.

2023-08-04T09:46:20.600258Z  WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Timestamp was not found. Deferring to Splunk to set the timestamp. internal_log_rate_limit=true
2023-08-04T09:46:20.600291Z  WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Internal log [Timestam was not found. Deferring to Splunk to set the timestamp.] is being rate limited.