On our Heavy Forwarder 6.3.3 with Cisco ASA 3.2.4 we keep receiving DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event. Why does the Cisco ASA TA have a TIME_PREFIX without a complete regex?
As you know, the Verbose errors indicates that splunk is unable to parse the timestamp using the strptime (TIME_FORMAT) in the sourcetype. you can do a few things.
1. enable DEBUG by creating file 'log-local.cfg' (copy of log.cfg) in /opt/splunk/etc with following additions
2. restart splunk and check for DataVerbose errors. this will show the strptime format issue for you to see how splunk interprets the event timestamp.
3. update your props.conf to reflect something like the below (adjust as needed)