ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Splunk _time Watermarks not Advancing on Some Data Sources

book

Article ID: 184915

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention Core Package

Issue/Introduction

Splunk  "_time" Watermarks not advancing on some data sources. The ingestion is  pulling watermarks that are too old, stuck on bluecoat ironport data sources.

N/A

Cause

Incorrect time variables configured

Environment

6.5.2.1

Resolution

In conjunction with understanding the tenets of ICA watermarking found in KB TECH249759, it was necessary to change the Splunk query to use the variable  "deviceReceiptTime", and convert or transpose it to the " _time" variable. Once this was completed, the integration step ran successfully, and the latest watermark dates showing completed were more current and accurate.  The details of the change are specific to SPLUNK and therefore are not included here. It is expected that the customer using this integration will have sufficient SPLUNK scripting capabilities to make this type of change.

Powered by Wolken Software