All Apps and Add-ons

Cisco Security Suite app and add ons install


When installing the new cisco security app and addons you get the error during tar

implausibly old time stamp 1970-01-01 01:00:00


Splunk_CiscoIPS/default/data/ui/views/ips_overview.xml tar: Splunk_CiscoIPS/default/data/ui/views/ips_overview.xml: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/data/ui/views/rt_ips.xml tar: Splunk_CiscoIPS/default/data/ui/views/rt_ips.xml: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/eventtypes.conf tar: Splunk_CiscoIPS/default/eventtypes.conf: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/inputs.conf tar: Splunk_CiscoIPS/default/inputs.conf: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/macros.conf tar: Splunk_CiscoIPS/default/macros.conf: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/props.conf tar: Splunk_CiscoIPS/default/props.conf: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/restmap.conf tar: Splunk_CiscoIPS/default/restmap.conf: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/savedsearches.conf tar: Splunk_CiscoIPS/default/savedsearches.conf: implausibly old time stamp 1970-01-01 01:00:00 Splunk_CiscoIPS/default/setup.xml

after that the conf file are R only, so you cant change anything ( by default with gui) can I ignore the messages? ( and change the file rights with RW, or am I running in troubles and do I have to wait for a splunk fix?

0 Karma


Implausibly Old Timestamps

The root cause for the implausibly old time stamp issue has been identified and will be addressed in a maintenance release of the app (reference issue SOLN-949).

Read-Only Conf Files

You should not edit the configuration files under the default directory. Instead, you can override the default conf file settings by creating a conf file with the same name under the local directory with the parameters you want to change.

For example, the Cisco Security Suite app ships with an app.conf file under default (etc/apps/Splunk_CiscoSecuritySuite/default/app.conf) that includes the following:

state = enabled
is_configured = false
build = 96705

Once you configure the app in the Splunk UI, Splunk overrides the "is_configured" field by making a local conf file (etc/apps/Splunk_CiscoSecuritySuite/local/app.conf) that overrides the is_configured field:

is_configured = true

The local version takes precedence over the default conf file; thus, Splunk acts the same as if the default app.conf file had been modified and is_configured will be considered to have a value of "true".

It is important to edit the local conf files because the settings you put under the local directory will persist after an upgrade. However, settings made in the default directory are not upgrade safe.

Source: Splunk Docs

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...