Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4413

Warning in Vector logs sending logs to Splunk

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      Before the update, there were a lot of warning messages "Timestamp was not found." during sending logs to Splunk.
      With this changes, the update overrides the name of the log field used to retrieve the timestamp to send to Splunk HEC without warning.
      Show
      Before the update, there were a lot of warning messages "Timestamp was not found." during sending logs to Splunk. With this changes, the update overrides the name of the log field used to retrieve the timestamp to send to Splunk HEC without warning.
    • Bug Fix
    • Low
    • Hide

      1) Deploy RHOL 5.7.4 version with Vector as collector.

      2) Deploy a CLF instance with Splunk as output:

       

        outputs:
  - name: splunk
    splunk: {}
    type: splunk
    url: http://test:8088
  pipelines:
  - inputRefs:
    - application
    name: forwarder
    outputRefs:
    - splunk

      3) Check Vector logs:

       

      WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Timestamp was not found. Deferring to Splunk to set the timestamp. internal_log_rate_limit=true
WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Internal log [Timestam was not found. Deferring to Splunk to set the timestamp.] is being rate limited.

       

       

      Show
      1) Deploy RHOL 5.7.4 version with Vector as collector. 2) Deploy a CLF instance with Splunk as output:     outputs:   - name: splunk     splunk: {}     type: splunk     url: http: //test:8088   pipelines:   - inputRefs:     - application     name: forwarder     outputRefs:     - splunk 3) Check Vector logs:   WARN sink{component_kind= "sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Timestamp was not found. Deferring to Splunk to set the timestamp. internal_log_rate_limit= true WARN sink{component_kind= "sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Internal log [Timestam was not found. Deferring to Splunk to set the timestamp.] is being rate limited.    
    • Log Collection - Sprint 240, Log Collection - Sprint 241
    • Low
    • Low (0%-49%) - [It is unlikely this will become an issue]

      Description of problem:

      After deployed a CLF instance with Splunk as output, always we can observe some warning logs in collector pods about the Timestamp, it seems an inconsistence between the Splunk/Vector parameters.

       

      2023-08-04T09:46:20.600258Z  WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Timestamp was not found. Deferring to Splunk to set the timestamp. internal_log_rate_limit=true
2023-08-04T09:46:20.600291Z  WARN sink{component_kind="sink" component_id=splunk component_type=splunk_hec_logs component_name=splunk}: vector::internal_events::splunk_hec::sink: Internal log [Timestam was not found. Deferring to Splunk to set the timestamp.] is being rate limited.

       

      Version-Release number of selected component (if applicable):

      cluster-logging.v5.7.4

      Vector

      Actual results:

      Warning  logs in Vector when sending logs to external third-party Splunk

      Expected results:

      Warning  logs in Vector when sending logs to external third-party Splunk

      Additional info:

              vparfono Vitalii Parfonov
              acandelp Adrian Candel
              Anping Li Anping Li
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: