All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Cisco ASA 3.2.4: DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event

kmanson
Path Finder
‎03-17-2016 03:16 AM

On our Heavy Forwarder 6.3.3 with Cisco ASA 3.2.4 we keep receiving DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event. Why does the Cisco ASA TA have a TIME_PREFIX without a complete regex?

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30

Sanitized Sample log
Mar 17 04:16:58 10.10.10.10 Mar 17 2016 04:16:58: %ASA-6-305011: Built dynamic UDP translation from Inside:10.10.20.20/2595 to Outside:8.8.8.8/2595

0 Karma
Reply

lakshman239
Influencer
‎03-14-2017 08:03 AM

As you know, the Verbose errors indicates that splunk is unable to parse the timestamp using the strptime (TIME_FORMAT) in the sourcetype. you can do a few things.
1. enable DEBUG by creating file 'log-local.cfg' (copy of log.cfg) in /opt/splunk/etc with following additions
category.DateParserVerbose=DEBUG
category.AggregatorMiningProcessor=DEBUG
2. restart splunk and check for DataVerbose errors. this will show the strptime format issue for you to see how splunk interprets the event timestamp.
3. update your props.conf to reflect something like the below (adjust as needed)

TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n\r]+)\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+
TRUNCATE = 999999

0 Karma
Reply

jcooperFossil
Path Finder
‎03-13-2017 08:19 AM

I'm having the same issue, and I'm running 3.2.6
My default props.conf shows:

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
KV_MODE = auto

My timestamps are coming in like:
Mar 13 00:00:56

0 Karma
Reply

lakshman239
Influencer
‎03-09-2017 07:44 AM

Is your issue resolved now? on Cisco ASA add-on 3.2.6 we don't have parsing errors. on your sourcetype stanza above, MAX_TIME* should appear in the following line. I assume that's not a oversight

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...