I'm running v3.6.8 of this Add-On and I'm seeing the following error message - "Invalid EVAL expression for 'EVAL-first_pkt_sec' in stanza [cisco:estreamer:data]: The expression is malformed. Expected AND." being report in the search.log during searches.
The release notes for v3.6.8 of this Add-On include the note that the add-on was:
"Modified definition of event_sec for connection events, in the FMC all connection events start at first packet time which is now the value used for indexing. The first_pkt_sec field is still preserved to support backward compatibility."
Within the default/props.conf I can see the following entries under the [cisco:estreamer:data] stanza:
FIELDALIAS-estreamer_first_pkt_sec_1 = connection_second AS first_pkt_sec
FIELDALIAS-estreamer_first_pkt_sec_2 = connection_sec AS first_pkt_sec
EVAL-first_pkt_sec = event_sec as first_pkt_sec
The EVAL statement looks like it's trying to be a FIELDALIAS statement (albeit with a lowercase 'as') but I don't know enough about the source to understand what it's trying to achieve.
Any help on a fix would be appreciated - preferably via a new version of the Add-on - but I'd accept a workaround that I can apply locally.
I'm not the developer for this code but my colleague is and I will chat with him to try to get a detailed technical answer. That said, I think I can give you some important background and shed some light on your question.
In older versions of the eNcore code the Connection Event timestamp we used was derived from the time a connection was concluded. i.e., last packet. This caused some real problems since sometimes connections stay open for a very long time. Seconds? Minutes? Days? Our platform doesn't always age out connections in an orderly process and so we concluded, after a lot of analysis in a few customer environments, that we had to make the initiation of a connection (First packet) the actual timestamp we put in the event.
Not sure if you still think a change to the code is needed. We're open minded.
The EVAL-first_pkt_sec statement is malformed and generates an error during searches so IMHO it needs a code change to fix it. The issue then is to what, and based on what you've described, I suspect that the answer is:
EVAL-first_pkt_sec = coalesce(first_pkt_sec, event_sec)
If that change makes sense then I'd prefer that the app itself was changed and updated on SplunkBase rather than me making a local modification.