When installing the new cisco security app and addons you get the error during tar
implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/data/ui/views/ips_overview.xml: implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/data/ui/views/rt_ips.xml: implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/eventtypes.conf: implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/inputs.conf: implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/macros.conf: implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/props.conf: implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/restmap.conf: implausibly old time stamp 1970-01-01 01:00:00
tar: Splunk_CiscoIPS/default/savedsearches.conf: implausibly old time stamp 1970-01-01 01:00:00
after that the conf file are R only, so you cant change anything ( by default with gui)
can I ignore the messages? ( and change the file rights with RW, or am I running in troubles and do I have to wait for a splunk fix?
The root cause for the implausibly old time stamp issue has been identified and will be addressed in a maintenance release of the app (reference issue SOLN-949).
Read-Only Conf Files
You should not edit the configuration files under the default directory. Instead, you can override the default conf file settings by creating a conf file with the same name under the local directory with the parameters you want to change.
For example, the Cisco Security Suite app ships with an app.conf file under default (etc/apps/Splunk_CiscoSecuritySuite/default/app.conf) that includes the following:
state = enabled
is_configured = false
build = 96705
Once you configure the app in the Splunk UI, Splunk overrides the "is_configured" field by making a local conf file (etc/apps/Splunk_CiscoSecuritySuite/local/app.conf) that overrides the is_configured field:
is_configured = true
The local version takes precedence over the default conf file; thus, Splunk acts the same as if the default app.conf file had been modified and is_configured will be considered to have a value of "true".
It is important to edit the local conf files because the settings you put under the local directory will persist after an upgrade. However, settings made in the default directory are not upgrade safe.