From ab4c01fd9055ea2756dd9d25ec86e8d192936a84 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 7 Aug 2020 15:39:48 -0400 Subject: [PATCH] [fix] lost brace in merge (#619) * [filtermod] cisco date parser issues False error reported when cisco device sends uptime device reported time errors will now use the indexed field cisco_time_error Add micro seconds format without year * Update cisco_syslog.conf Use cisco time even when wrong * Update cisco_syslog.conf --- package/etc/conf.d/filters/cisco/cisco_syslog.conf | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index 366d228..8fe0309 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -102,14 +102,13 @@ parser cisco-parser-ex{ filter { match('^(\*|\.)$' value("7")); }; - rewrite { set("cisco reported time error : ${7}" value("fields.cisco_time_error")); + rewrite { set("cisco reported time error : ${7}" value("fields.cisco_time_error"));}; }; if { - if { - filter { - match('^\w\w\w' value("8")); - }; - parser { date-parser-nofilter(format( + filter { + match('^\w\w\w' value("8")); + }; + parser { date-parser-nofilter(format( '%b %d %H:%M:%S.%f', '%b %d %H:%M:%S', '%b %d %I:%M:%S %p.%f', @@ -118,8 +117,7 @@ parser cisco-parser-ex{ '%b %d %H:%M:%S.%f', '%b %d %Y %H:%M:%S') template("$8")); - }; - }; + }; }; } else { #Cisco AireOS format