Solved: Why am I unable to search data from firewall hosts...

dnorman289 · ‎12-14-2016

Splunk Version: 6.4.0
Splunk Build: f2c836328108

We collect data from Cisco Asa firewalls (5). We are able to search data from all the firewalls when I use the time parameter "all time" However when I try to use other time criteria like "last 7 days" or specific dates, the search doesn't work for one of the firewalls. The same search works if I use another firewall. The data is in the index however I don't get results unless I use "All Time"

masonmorales · ‎12-14-2016

Have you specified the time zone of your data in props.conf on either the heavy forwarder, or on the indexers (if you're using a universal forwarder)?

Take a look at the "TZ" parameter in props.conf

View solution in original post

masonmorales · ‎12-14-2016

Have you specified the time zone of your data in props.conf on either the heavy forwarder, or on the indexers (if you're using a universal forwarder)?

Take a look at the "TZ" parameter in props.conf

alemarzu · ‎12-14-2016

Hi @dnorman289

Check your internals for a timestamp format related events, you will probably have to specifiy the timestamp format on your props.conf.

Richfez · ‎01-26-2017

What date and time are on the events when you use the "All Time" search? My guess is one of your 5 firewalls has the time off.

dnorman289 · ‎12-14-2016

When I perform a tcpdump at the indexer I can see the data inbound to the server.

Why am I unable to search data from firewall hosts unless I select "All Time" time range?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?