topic Events getting truncated at the beginning in Knowledge Management

Events getting truncated at the beginning

Navanitha — Fri, 29 Sep 2023 10:03:57 GMT

Some of the event logs in Splunk are getting truncated at the beginning.

Tried some prop's to break before date, line_breaking at new line but nothing seems to be working.

Truncated events
9/29/23 5:40:46.000 AM entFacing:1x.1xx.1xx.2xx/4565 to inside:1x.9x.x4x.x4x/43 duration 0:00:00 bytes 0

9/29/23 5:40:36.000 AM 53 (1x.x8.2xx.2xx/34)

9/29/23 5:37:21.000 AM bytes 1275

Well parsed events -

2023-09-29T05:57:57-04:00 1x.xx.2.1xx %ASA-6-302014: Teardown TCP connection 758830654 for ARCC:1xx.x7.9x.1x/xx to inside:1x.2xx.6x.x1/xx17 duration 0:00:00 bytes 0 Failover primary closed

2023-09-29T05:57:57-04:00 1x.xx.2.1xx %ASA-6-302021: Teardown ICMP connection for faddr 1x0.x5.0.1x/0 gaddr 1x.2x6.1xx6.x6/0 laddr 1x.xx6.1xx.x6/0 type 3 code 1

My props

TZ = UTC
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=32

Re: Events getting truncated at the beginning

gcusello — Fri, 29 Sep 2023 10:14:14 GMT

Hi @Navanitha,

I see that the TIME_FORMAT is different, are these logs coming from the same source?

maybe you have to apply different sourcetypes and different timestamp formatting.

Ciao.

Giuseppe

Re: Events getting truncated at the beginning

Navanitha — Fri, 29 Sep 2023 11:01:47 GMT

They are coming from same source type, sorry the timestamp shown in first set of sample events is Splunk time stamp followed by broken events.

The second set of sample is complete event with timestamp, I removed Splunk timestamp. Sharing the event below along with Splunk timestamp.

9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302014: Teardown TCP connection 758830654 for ARCC:1xx.1x.9x.x8/x0 to inside:x0.2xx.x8.x1/4xx17 duration 0:00:00 bytes 0 Failover primary closed

9/29/23 5:57:57.000 AM 2023-09-29T05:57:57-04:00 1x.1xx.2x.1xx %ASA-6-302021: Teardown ICMP connection for faddr 1xx.x5.x0.x4/0 gaddr 1x.xx6.1xx.x6/0 laddr 1x.xx6.1x.x6/0 type 3 code 1

Re: Events getting truncated at the beginning

gcusello — Fri, 29 Sep 2023 11:09:02 GMT

Hi @Navanitha

are you using the correct CiscoA SA add-On (https://splunkbase.splunk.com/app/1620)?

Ciao.

Giuseppe

Re: Events getting truncated at the beginning

Navanitha — Fri, 29 Sep 2023 11:12:13 GMT

I am colleting these logs using Splunk UDP inputs and not through add-on. However I did install this add-on on our SH to make the data CIM Compatible.

Re: Events getting truncated at the beginning

gcusello — Fri, 29 Sep 2023 12:22:47 GMT

Hi @Navanitha ,

yes you are using an input to take these syslogs, but you have to parse them, and you can parse your logs using the correct Add-On.

The Add-on must be installed on the Search Head and on the Heavy Forwarder where you enabled input.

Ciao.

Giuseppe

Re: Events getting truncated at the beginning

Navanitha — Fri, 29 Sep 2023 16:52:32 GMT

I tried installing Add-on on HF and mapped the right source type still no luck. Few events are truncated in the beginning.