From 11496c0474f8914d152b60923c6f488e6784107e Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 7 Aug 2020 14:52:37 -0400
Subject: [PATCH] [filtermod] Resolve time issue in acs (#613)

* [filtermod] Resolve time issue in acs

ACS more often than not does not send a better time than BSD time field so do not attempt to use it

* Update lp-cisco_acs.conf.tmpl
---
 .../conf.d/log_paths/lp-cisco_acs.conf.tmpl    | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
index fc1b7a7..7c463b8 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
@@ -37,23 +37,6 @@ parser acs_grouping {
     );
 };
 
-#The syslog message includes a date with milliseconds and TZ which is not in the header
-#So must reparse the date
-
-parser acs_event_time {
-    csv-parser(
-        columns(ACS.DATE, ACS.TIME, ACS.TZ, MESSAGE)
-        delimiters(chars(" "))
-        flags(greedy)
-    );
-
-    date-parser-nofilter(
-            #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm
-            format('%Y-%m-%d %H:%M:%S.%f %z')
-            template("${ACS.DATE} ${ACS.TIME} ${ACS.TZ}")
-    );
-};
-
 log {
     junction {
 {{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_ACS_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_ACS_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_ACS_TLS_PORT")) }}
@@ -83,7 +66,6 @@ log {
 
     if {
         filter(f_cisco_acs_complete);
-        parser(acs_event_time);
         rewrite {
             set("cisco_acs", value("fields.sc4s_vendor_product"));
             r_set_splunk_dest_default(sourcetype("cisco:acs"))