From 5531372b5f94ec3b42337da0af59b117a2bd78ee Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 7 Aug 2020 12:38:08 -0400
Subject: [PATCH] [filtermod] CEF time stamp (#612)

False error caused when itterating through multiple time stamps
add support for fractional seconds
---
 .../conf.d/log_paths/lp-common_event_format.conf.tmpl  | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
index 2dac3d6..65486fe 100644
--- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -16,12 +16,12 @@ parser p_cef_header {
 };
 
 parser p_cef_ts_rt {
-    date-parser-nofilter(format('%s')
+    date-parser-nofilter(format('%s.%f','%s')
                 template("${.cef.rt}")
     );
 };
 parser p_cef_ts_end {
-    date-parser-nofilter(format('%s')
+    date-parser-nofilter(format('%s.%f','%s')
                 template("${.cef.end}")
     );
 };
@@ -66,8 +66,14 @@ log {
     # If we have an rt or end field that is best we use the If trick here so if this parser fails
     # We don't get sent to fallback.
     if {
+        filter{
+            match('^.', value('.cef.rt'))
+        };
         parser (p_cef_ts_rt);
     } elif {
+        filter{
+            match('^.', value('.cef.end'))
+        };
         parser (p_cef_ts_end);
     } else {
     }; #Do nothing this is allows for both rt and end to be missing and still pass with the message ts