https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127097#M10124 <P>I have the exact same issue with cisco sourcefire logs where splunk assumes a random year on the timestamp.<BR /> There is no year information in the logs.</P> Fri, 22 Nov 2019 19:16:11 GMT jaivijay_rio 2019-11-22T19:16:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127094#M10121 <P>I am currently investigating issue where "_time" has year extracted from last octet from the syslog source IP. The logs are from sourcefire and sending syslog without year. </P> <P>the raw syslog from two source DCs </P> <P>Feb 4 10:52:22 SIGIPSDC01 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:52:21 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118-&gt;23.23.154.127:80</P> <P>Feb 4 10:50:51 SIGIPSDC02 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:50:51 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118-&gt;23.23.154.127:80</P> <P>These logs are forwarded by heavy forwarder and actual logs from search head looks like:</P> <P>_time<BR /> <EM>2/4/14 9:50:51.000 PM</EM> <STRONG>Feb 4 21:50:51 10.0.12.14</STRONG>Feb 4 10:50:51 SIGIPSDC02 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:50:51 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118-&gt;23.23.154.127:80</P> <P>_time<BR /> <EM>2/4/13 9:52:22.000 PM</EM> <STRONG>Feb 4 21:52:22 10.0.12.13</STRONG> Feb 4 10:52:22 SIGIPSDC01 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:52:21 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118-&gt;23.23.154.127:80</P> <P>This issue occurs only if last octet of source syslog device ends with .10 or .11 or .12 or .13 or .14 or .15</P> Mon, 28 Sep 2020 18:50:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127094#M10121 ramsanga 2020-09-28T18:50:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127095#M10122 <P>We've filed a bug for this and will address.</P> Sun, 22 Feb 2015 01:58:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127095#M10122 jcoates_splunk 2015-02-22T01:58:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127096#M10123 <P>following up... this was discovered to be a Splunk configuration issue that we can't address well from within the Add-on, so we've updated the documentation: <A href="http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Troubleshooting#Data_truncation_issues">http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Troubleshooting#Data_truncation_issues</A></P> Sun, 01 Mar 2015 17:56:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127096#M10123 jcoates_splunk 2015-03-01T17:56:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127097#M10124 <P>I have the exact same issue with cisco sourcefire logs where splunk assumes a random year on the timestamp.<BR /> There is no year information in the logs.</P> Fri, 22 Nov 2019 19:16:11 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Cisco-Sourcefire-Why-is-the-wrong-year/m-p/127097#M10124 jaivijay_rio 2019-11-22T19:16:11Z