We have updated our Terms of Service, Code of Conduct, and Addendum.

found event timestamped=1681964469123 is out of range. Error in Splunk

Options
Franky Laarits
Franky Laarits Posts: 59 ✭✭
in Stream

I am getting the following error in Splunk when sending an event from Stream:
04-20-2023 04:21:09.000 +0000 INFO IndexWriter [7972 indexerPipe] - idx=goat: found event timestamped=1681964469123 is out of range. Using 1680307200.

Here’s what _time looks like, in Stream, when viewing the data:
{
“_raw”: “”,
“_time”: 1681964469123,
“cribl_breaker”: “”,
“index”: “”,
“source”: “”,
“sourcetype”: “”,
“cribl_pipe”: “”
}

Best Answer

  • Jeremy Prescott
    Jeremy Prescott Posts: 33 ✭✭
    edited July 2023 Answer ✓
    Options

    In my experience, Splunk isnt a fan of 13 digit epoch timestamps which look like ** 1681964469123**, and prefers something like ** 1681964469.123**.
    You could create an Eval which divides _time by 1000:

    bf121867c11fdd9c8fb1e9405d3d65b87bb59f90.png

    Which should resolve the issue.

Answers

  • Jeremy Prescott
    Jeremy Prescott Posts: 33 ✭✭
    edited July 2023 Answer ✓
    Options

    In my experience, Splunk isnt a fan of 13 digit epoch timestamps which look like ** 1681964469123**, and prefers something like ** 1681964469.123**.
    You could create an Eval which divides _time by 1000:

    bf121867c11fdd9c8fb1e9405d3d65b87bb59f90.png

    Which should resolve the issue.

Categories