This repository was archived by the owner on Oct 11, 2018. It is now read-only.
This repository was archived by the owner on Oct 11, 2018. It is now read-only.
props.conf should have DATETIME_CONFIG = NONE for DockerInspect #1
Description
Hi!
I just tested a little with your stats application and had some fun with DockerInspect. While I was expecting to see some output of docker inspect every 15min in my Splunk I found only some "random" events.
After investigating a while I found that docker inspect prints our a "Created" field (creation date of the container) which will be interpreted as timestamp of the event (Splunk is looking at the first 150 chars for a date).
docker inspect 39bbb329349c | jq -c -M -r ".[]"
{
"Id": "39bbb329349cdab38e0a06f84eca642241d2ca6fabeea0926675b0136fd2b010",
"Created": "2015-10-02T08:25:17.039570547Z",
So depending on creation date of my containers events were created or they were put somewhere back in the past, outside of my search scope.
One way to disable timestamp recognition is to set DATETIME_CONFIG = NONE
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies timestamps from the
event text.
* This configuration may also be set to "NONE" to prevent the timestamp extractor from running
or "CURRENT" to assign the current system time to each event.
* "CURRENT" will set the time of the event to the time that the event was merged from lines, or
worded differently, the time it passed through the aggregator processor.
* "NONE" will leave the event time set to whatever time was selected by the input layer
* For data sent by splunk forwarders over the splunk protocol, the input layer will be the time
that was selected on the forwarder by its input behavior (as below).
* For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on
the file being read.
* For other inputs, the time chosen will be the current system time when the event is read from
the pipe/socket/etc.
* Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so
the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as
desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_*
settings to control event merging.
* Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).
So with a props.conf like this docker inspect is working as expected.
[DockerInspect]
INDEXED_EXTRACTIONS = JSON
DATETIME_CONFIG = NONE
Cheers Christian