All Apps and Add-ons

Technology Add-on for Cisco Secure Access Control Server (ACS): Trying to get ACS logs into Splunk, the _indextime field is correct, but why not _time?

faizancool85
Path Finder

Hello Guys,

I am facing issue with the _time field. Splunk is not recognizing the time properly, but all other things are working perfectly like _indextime and all.

I am attaching the screenshot for references.

alt text

I had even included following things in props.conf file on both the paths etc\system\local & etc\apps\TA_cisco_ios\local, but after doing that, still no luck

[cisco:acs]
# TIME_PREFIX = ^
# TIME_FORMAT = %B %d %H:%M:%S
# MAX_TIMESTAMP_LOOKAHEAD = 19
# SHOULD_LINEMERGE = false
# LINE_BREAKER = ([\r\n]+)(\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}\s)
# TRUNCATE = 999999

Any solutions to sort this out?

0 Karma
1 Solution

woodcock
Esteemed Legend

If you are shooting for the first timestamp in that event, then the only problem that you have is that your settings are commented out! So change to this:

[cisco:acs]
TIME_PREFIX = ^
TIME_FORMAT = %B %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19

View solution in original post

0 Karma

woodcock
Esteemed Legend

If you are shooting for the first timestamp in that event, then the only problem that you have is that your settings are commented out! So change to this:

[cisco:acs]
TIME_PREFIX = ^
TIME_FORMAT = %B %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
0 Karma

faizancool85
Path Finder

Thanks Wood !
I didt noticed that at all, lol 🙂 it was a silly mistake 🙂

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Hey faizancool85,
I see at least three possible time stamps here, one at the start of the event, another one following directly behind it, and then there is one in the event (after the CSCOacs_RADIUS_Accounting). Which of these would you like to use?

Thanks,

Dave

0 Karma

faizancool85
Path Finder

Hi Dave,

Thank your for your reply!
I was trying to use _time event.
It was small mistake, i didnt notice that at all. I forget to remove the comment 😞
now its working fine.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...