You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Splunk TA-eStreamer v5.1.9: props.conf time fields not populating for firewall traffic.
event_sec AND first_pkt_sec are empty even though rec_type=71 events have the in the raw logs.
not sure if it's a typo like "AS" instead of "as" in EVAL, or my guess is they are getting overwritten as last_pkt_sec extracts but it is not found in props
Sourcetype
[cisco:estreamer:data]
TIME_PREFIX =event_sec=
FIELDALIAS-estreamer_first_pkt_sec_1 = connection_second AS event_sec
FIELDALIAS-estreamer_first_pkt_sec_2 = connection_sec AS first_pkt_sec
EVAL-first_pkt_sec = event_sec as first_pkt_sec
also events other than rec_type=71 don't have an event_sec so TIME_PREFIX fails with a bunch of errors in splunkd.log
error
02-13-2023 23:03:22.200 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 08:56:05 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3293
02-13-2023 23:09:01.943 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 09:01:11 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3625\n 37 similar messages suppressed. First occurred at: Mon Feb 13 23:03:27 2023
The text was updated successfully, but these errors were encountered:
Splunk TA-eStreamer v5.1.9: props.conf time fields not populating for firewall traffic.
event_sec AND first_pkt_sec are empty even though rec_type=71 events have the in the raw logs.
not sure if it's a typo like "AS" instead of "as" in EVAL, or my guess is they are getting overwritten as last_pkt_sec extracts but it is not found in props
Sourcetype
[cisco:estreamer:data]
TIME_PREFIX =event_sec=
FIELDALIAS-estreamer_first_pkt_sec_1 = connection_second AS event_sec
FIELDALIAS-estreamer_first_pkt_sec_2 = connection_sec AS first_pkt_sec
EVAL-first_pkt_sec = event_sec as first_pkt_sec
also events other than rec_type=71 don't have an event_sec so TIME_PREFIX fails with a bunch of errors in splunkd.log
error
02-13-2023 23:03:22.200 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 08:56:05 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3293
02-13-2023 23:09:01.943 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 09:01:11 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3625\n 37 similar messages suppressed. First occurred at: Mon Feb 13 23:03:27 2023
The text was updated successfully, but these errors were encountered: