For some reason, all the pan_traffic logs are showing up as happening in 2013 instead of 2014. System logs are showing the correct year. Any ideas?
Define more precise timestamp extraction in the sourcetype. This should go into your_app/local/props.conf
:
[pan_log]
TIME_FORMAT = %d %b %H:%M:%S
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 16
Disclaimer: Didn't test these. Export a few events into a local file and drop them into the data preview, apply these settings, and see if the extraction works as desired.
Once it does, talk to the creators of the app to get this included in future releases.
okay I noticed that the system logs from .14 are showing up as happening in 2014, where as the system logs from .13 are showing up as happening in 2013... so it looks like it is using the last octet of the IP as the year.... now, how do I change that?
Do correctly filed events (ie in 2014) have timestartpos
and timeendpos
?
Any warnings generated in index=_internal
around the time wrongly filed events are indexed?
They do not have timestartpos and timeendpos, but the do have the correct date_year value (2014). Here is an example system log (a wildfire update) which has the correct date_year value extracted:
Nov 25 15:00:36 192.168.96.14 Nov 25 15:00:36 PA-Secondary.abc.abc.com 1,2014/11/25 15:00:36,0011C102389,SYSTEM,general,0,2014/11/25 15:00:36,,general,,0,0,general,informational,Wildfire package upgraded from version 45978-52637 to 45980-52639 by Auto update agent,12291,0x0
Okay, so no year specified... in Splunk's search, pick one of these 2013-events and check the values for timestartpos
and timeendpos
. They should tell you where Splunk found the timestamp.
I'm guessing it found the 13 in the IP, if so it should be timestartpos=0 timeendpos=29
ish...
I don't see any values for timestartpos or timeendpos, but I do see a value (2013) in "date_year" under "_time". Note that these logs are stored in the pan_logs index created by the Splunk for Palo Alto Networks app.
etc>apps>SplunkforPaloAltoNetworks>local>inputs.conf:
[udp://1514]
index= pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
Got a sample event?
won't let me paste a screenshot...
it looks something like this... but is showing up as 11/25/2013
Nov 25 15:00:37 192.168.96.13 Nov 25 15:00:37 PA-Primary.abc.abc.com 1,2014/11/25 15:00:36,0011C100738,TRAFFIC,end,1,2014/11/25 15:00:36,10.10.1.241,206.78.73.17,174.12.34.226,207.78.71.17,Trust to Untrust,,,dns,vsys1,Trust,Untrust,ethernet1/8,ethernet1/1.2,Splunk forward,2014/11/25 15:00:36,34007029,1,57746,53,18407,53,0x430819,udp,allow,281,98,183,2,2014/11/25 15:00:05,30,any,0,117735991,0x0,192.168.0.0-192.168.255.255,US,0,1,1
You should use the timestamp after the host name like this:
TIME_PREFIX = [^,]+,
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %Y/%m/%d %H:%M:%S
This will pick this part, in bold:
Nov 25 15:00:37 192.168.96.13 Nov 25 15:00:37 PA-Primary.abc.abc.com 1,2014/11/25 15:00:36,0011C100738,TRAFFIC.....