From 8f7fa8df6afbe8f8a94971fcd0c037acfa411992 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 7 Aug 2020 14:52:49 -0400 Subject: [PATCH] [filtermod] cisco date parser issues (#611) * [filtermod] cisco date parser issues False error reported when cisco device sends uptime device reported time errors will now use the indexed field cisco_time_error Add micro seconds format without year * Update cisco_syslog.conf Use cisco time even when wrong --- .../conf.d/filters/cisco/cisco_syslog.conf | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index 61da774..366d228 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -102,17 +102,24 @@ parser cisco-parser-ex{ filter { match('^(\*|\.)$' value("7")); }; - rewrite { set("cisco reported time error : ${8}" value("fields.sc4s_error")); }; - } else { - parser { date-parser-nofilter(format( - '%b %d %H:%M:%S.%f', - '%b %d %H:%M:%S', - '%b %d %I:%M:%S %p.%f', - '%b %d %I:%M:%S %p', - '%b %d %Y %H:%M:%S.%f', - '%b %d %Y %H:%M:%S') - template("$8")); - }; + rewrite { set("cisco reported time error : ${7}" value("fields.cisco_time_error")); + }; + if { + if { + filter { + match('^\w\w\w' value("8")); + }; + parser { date-parser-nofilter(format( + '%b %d %H:%M:%S.%f', + '%b %d %H:%M:%S', + '%b %d %I:%M:%S %p.%f', + '%b %d %I:%M:%S %p', + '%b %d %Y %H:%M:%S.%f', + '%b %d %H:%M:%S.%f', + '%b %d %Y %H:%M:%S') + template("$8")); + }; + }; }; } else { #Cisco AireOS format