All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Cisco Sourcefire: Why is the wrong year extracted from events?

ramsanga
Explorer
‎02-04-2015 05:38 AM

I am currently investigating issue where "_time" has year extracted from last octet from the syslog source IP. The logs are from sourcefire and sending syslog without year.

the raw syslog from two source DCs

Feb 4 10:52:22 SIGIPSDC01 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:52:21 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

Feb 4 10:50:51 SIGIPSDC02 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:50:51 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

These logs are forwarded by heavy forwarder and actual logs from search head looks like:

_time
2/4/14 9:50:51.000 PM Feb 4 21:50:51 10.0.12.14Feb 4 10:50:51 SIGIPSDC02 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:50:51 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

_time
2/4/13 9:52:22.000 PM Feb 4 21:52:22 10.0.12.13 Feb 4 10:52:22 SIGIPSDC01 ipsdetect00: [119:31:1] http_inspect: UNKNOWN METHOD [Impact: Currently Not Vulnerable] From "SIG-IPS-DE-01/SIGIPS3D01" at Wed Feb 4 10:52:21 2015 UTC [Classification: Unknown Traffic] [Priority: 3] {tcp} 203.19.222.5:26118->23.23.154.127:80

This issue occurs only if last octet of source syslog device ends with .10 or .11 or .12 or .13 or .14 or .15

0 Karma
Reply

jaivijay_rio
Explorer
‎11-22-2019 11:16 AM

I have the exact same issue with cisco sourcefire logs where splunk assumes a random year on the timestamp.
There is no year information in the logs.

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-21-2015 05:58 PM

We've filed a bug for this and will address.

Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎03-01-2015 09:56 AM

following up... this was discovered to be a Splunk configuration issue that we can't address well from within the Add-on, so we've updated the documentation: http://docs.splunk.com/Documentation/AddOns/latest/Sourcefire/Troubleshooting#Data_truncation_issues

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...