Hi,
We are collecting some test flows from a Cisco ASA, in order to evaluate the feasibility of implementing this app across our entire environment.
We were able to get the app working without any issues, and the search head sees the flows without any issues.
The problem that we are having is that Splunk Enterprise seems to be interpreting the timestamp on a flow, incorrectly.
For example, the raw flow in the nfdump-ascii directory looks like this -
2015-06-01 16:36:31,2015-06-01 16:36:31,0.000,10.0.0.115,30.30.30.30,49649,443,TCP,......,0,0,0,0,0,0,8,7,0,0,0,0,0,0,0.0.0.0,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:0:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,10.10.0.10,0/0,1,2015-06-01 16:36:32.088
When I see the flow in the Splunk UI, it shows up thusly -
Any idea on what could be wrong ?
Thanks and Regards,
Madan Sudhindra
... View more