Have anyone gotten this error message after installation, and can point me to a direction to resolve it?
WARN DateParserVerbose - Failed to parse timestamp in first MAXTIMESTAMPLOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Dec 17 14:01:08 2019). Context: source=/opt/Firepower/splunk/etc/apps/TA-eStreamer|host=splumkhf.domain.com|cisco:estreamer:data|83258
Just tracked down this same issue, the "cisco:estreamer:data" sourcetype is expecting the event_sec field for timestamp. There are a number of events that do not contain that field.
sourcetype="cisco:estreamer:data" NOT event_sec="*"
Also, this addon needs reworking to handle the FIELDALIAS behavior changes after 7.2.4
This means that Splunk is not finding the timestamp in your event where it is expecting to find it.
Or, it is not in the format expected and is being 'overlooked'.
All settings related to this can be found within props.conf, and could be one of several...
I would suggest you manually upload some sample events via the web UI, apply the sourcetype and preview the results. This should show you what is going wrong the the date/time extraction.