Timestamp was not found warning in Collector Pods while forwarding logs to Splunk in RHOCP 4

Solution Verified - Updated -

Issue

  • Collector pod repeatedly logs timestamp related warnings for the splunk_hec_logs sink.

  • The following warning messages appear in the collector pod logs when forwarding logs to a Splunk:

    YYYY-MM-DDTHH:MM:SS.XXXXXZ  WARN sink{component_kind="sink" component_id=output_splunk_aosqe component_type=splunk_hec_logs}: vector::internal_events::splunk_hec::sink: Timestamp was not found. Deferring to Splunk to set the timestamp. internal_log_rate_limit=true

YYYY-MM-DDTHH:MM:SS.XXXXXZ  WARN sink{component_kind="sink" component_id=output_splunk_aosqe component_type=splunk_hec_logs}: vector::internal_events::splunk_hec::sink: Internal log [Timestamp was not found. Deferring to Splunk to set the timestamp.] is being suppressed to avoid flooding

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Red Hat OpenShift Logging (RHOL)
    • 6.3.0
  • Vector

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content