Splunk TA-eStreamer v5.1.9: props.conf time fields not populating for firewall traffic.
event_sec AND first_pkt_sec are empty even though rec_type=71 events have the in the raw logs.
not sure if it's a typo like "AS" instead of "as" in EVAL, or my guess is they are getting overwritten as last_pkt_sec extracts but it is not found in props
Sourcetype
[cisco:estreamer:data]
TIME_PREFIX =event_sec\=
FIELDALIAS-estreamer_first_pkt_sec_1 = connection_second AS event_sec
FIELDALIAS-estreamer_first_pkt_sec_2 = connection_sec AS first_pkt_sec
EVAL-first_pkt_sec = event_sec as first_pkt_sec
also events other than rec_type=71 don't have an event_sec so TIME_PREFIX fails with a bunch of errors in splunkd.log
error
02-13-2023 23:03:22.200 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 08:56:05 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3293
02-13-2023 23:09:01.943 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 09:01:11 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3625\n 37 similar messages suppressed. First occurred at: Mon Feb 13 23:03:27 2023
Splunk TA-eStreamer v5.1.9: props.conf time fields not populating for firewall traffic.
event_sec AND first_pkt_sec are empty even though rec_type=71 events have the in the raw logs.
not sure if it's a typo like "AS" instead of "as" in EVAL, or my guess is they are getting overwritten as last_pkt_sec extracts but it is not found in props
Sourcetype
[cisco:estreamer:data] TIME_PREFIX =event_sec\= FIELDALIAS-estreamer_first_pkt_sec_1 = connection_second AS event_sec FIELDALIAS-estreamer_first_pkt_sec_2 = connection_sec AS first_pkt_sec EVAL-first_pkt_sec = event_sec as first_pkt_sec
also events other than rec_type=71 don't have an event_sec so TIME_PREFIX fails with a bunch of errors in splunkd.log
error 02-13-2023 23:03:22.200 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 08:56:05 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3293 02-13-2023 23:09:01.943 -0500 WARN DateParserVerbose [2964285 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (40) characters of event. Defaulting to timestamp of previous event (Mon Feb 13 09:01:11 2023). Context: source=encore|host=splunk|cisco:estreamer:data|3625\n 37 similar messages suppressed. First occurred at: Mon Feb 13 23:03:27 2023