All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Cisco ASA 3.2.4: DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event

kmanson
Path Finder
‎03-17-2016 03:16 AM

On our Heavy Forwarder 6.3.3 with Cisco ASA 3.2.4 we keep receiving DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event. Why does the Cisco ASA TA have a TIME_PREFIX without a complete regex?

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30

Sanitized Sample log
Mar 17 04:16:58 10.10.10.10 Mar 17 2016 04:16:58: %ASA-6-305011: Built dynamic UDP translation from Inside:10.10.20.20/2595 to Outside:8.8.8.8/2595

0 Karma
Reply

lakshman239
Influencer
‎03-14-2017 08:03 AM

As you know, the Verbose errors indicates that splunk is unable to parse the timestamp using the strptime (TIME_FORMAT) in the sourcetype. you can do a few things.
1. enable DEBUG by creating file 'log-local.cfg' (copy of log.cfg) in /opt/splunk/etc with following additions
category.DateParserVerbose=DEBUG
category.AggregatorMiningProcessor=DEBUG
2. restart splunk and check for DataVerbose errors. this will show the strptime format issue for you to see how splunk interprets the event timestamp.
3. update your props.conf to reflect something like the below (adjust as needed)

TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n\r]+)\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+
TRUNCATE = 999999

0 Karma
Reply

jcooperFossil
Path Finder
‎03-13-2017 08:19 AM

I'm having the same issue, and I'm running 3.2.6
My default props.conf shows:

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
KV_MODE = auto

My timestamps are coming in like:
Mar 13 00:00:56

0 Karma
Reply

lakshman239
Influencer
‎03-09-2017 07:44 AM

Is your issue resolved now? on Cisco ASA add-on 3.2.6 we don't have parsing errors. on your sourcetype stanza above, MAX_TIME* should appear in the following line. I assume that's not a oversight

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...