Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[receiver/splunkhecreceiver] timestamp overflows when not in seconds #36571

Open
timannguyen opened this issue Nov 27, 2024 · 5 comments
Open

[receiver/splunkhecreceiver] timestamp overflows when not in seconds #36571

timannguyen opened this issue Nov 27, 2024 · 5 comments
Labels
bug Something isn't working receiver/splunkhec

Comments

@timannguyen
Copy link
Contributor

timannguyen commented Nov 27, 2024
edited
Loading

Component(s)

https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/8e0ea012fe93a272b78e27a94e690084538b0963/receiver/splunkhecreceiver

What happened?

Description

Splunk HEC allows time to be nanosecond, microsecond, millisecond and in second. splunk to log/metric converters assumes all time is in seconds:

The receiver should not assume all incoming time is in second and cause overflow by trying to convert time to nanosecond before confirming the time unit.

Steps to Reproduce

  1. run otel with splunkhecreceiver
  2. curl -X POST http://localhost:8088/services/collector -d '{"time":1732604863241,"event":"data","source":"test","sourcetype":"test","host":"test","index":"main"}'
  3. timestamp for the event is now 9223372036854774

Expected Result

1732604863241000000
Tuesday, November 26, 2024 7:07:43.241 UTC

Actual Result

9223372036854774
Friday, April 11, 2262 11:47:16.854 UTC

Collector version

1.0.9

Environment information

Environment

Debian Bookworm
go 1.22

OpenTelemetry Collector configuration

receivers:
 splunk_hec:
   endpoint: 8088
   splitting: false

Log output

No response

Additional context

No response
@timannguyen timannguyen added bug Something isn't working needs triage New item requiring triage labels Nov 27, 2024
@github-actions GitHub Actions
Copy link
Contributor

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@VihasMakwana
Copy link
Contributor

Looking at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/FormateventsforHTTPEventCollector, It says

The event time. The default time format is UNIX time format, in the format . and depends on your local timezone.

Also, the examples uses seconds for time field.

ccing @atoulme as he might have more thoughts on this.

@VihasMakwana VihasMakwana removed the needs triage New item requiring triage label Nov 27, 2024
@github-actions github-actions bot mentioned this issue Dec 3, 2024
Closed
@timannguyen
Copy link
Contributor Author

Splunk will accepts milli, micro, nano and will be aware to parse it to valid epoch time.

@atoulme
Copy link
Contributor

atoulme commented Jan 18, 2025

IIRC I asked if you would you please update the docs, which are serving as the spec for HEC.

As @VihasMakwana pointed out the time field documentation is:

The event time. The default time format is UNIX time format, in the format . and depends on your local timezone. For example, 1433188255.500 indicates 1433188255 seconds and 500 milliseconds after epoch, or Monday, June 1, 2015, at 7:50:55 PM GMT.

If this can please be clarified, then we can go for those changes.

@timannguyen
Copy link
Contributor Author

@atoulme @VihasMakwana HEC Documentation has been updated to reflect stated issue https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/FormateventsforHTTPEventCollector#Event_metadata

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working receiver/splunkhec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atoulme @timannguyen @VihasMakwana