Updated timestamp extraction and Updated example conf as per alphabat…

…ical order
CSVD · May 13, 2020 · d29bd31 · d29bd31
1 parent dd50bd8
commit d29bd31
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 9 deletions.
diff --git a/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_wsa.conf.tmpl
@@ -34,6 +34,19 @@ log{
 
     } elif {
         filter(f_cisco_wsa11_7);
+        parser {
+                filter {
+                    program(
+                        '(?:(?<EPOCH>\d{10})(?:.(?<TIMESECFRAC>\d{1,9}))?)'
+                        flags(store-matches)
+                    );
+                };
+                parser {
+                    date-parser-nofilter(format('%s.%f')
+                                template("${EPOCH}.${TIMESECFRAC}")
+                    );
+                };
+        };
         rewrite {
                 set("cisco_wsa11_7", value("fields.sc4s_vendor_product"));
                 r_set_splunk_dest_default(sourcetype("cisco:wsa:squid:new"), index("netops"),source("wsa_11.7"))
@@ -43,6 +56,19 @@ log{
         rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
 
     } else {
+        parser {
+                filter {
+                    program(
+                        '(?:(?<EPOCH>\d{10})(?:.(?<TIMESECFRAC>\d{1,9}))?)'
+                        flags(store-matches)
+                    );
+                };
+                parser {
+                    date-parser-nofilter(format('%s.%f')
+                                template("${EPOCH}.${TIMESECFRAC}")
+                    );
+                };
+        };
         rewrite {
                 set("cisco_wsa", value("fields.sc4s_vendor_product"));
                 r_set_splunk_dest_default(sourcetype("cisco:wsa:squid"), index("netops"))

diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example
@@ -39,6 +39,12 @@ filter f_cisco_meraki {
     host("testcm-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
+filter f_cisco_wsa{
+    host("cisco_wsa" type(glob))
+};
+filter f_cisco_wsa11_7{
+    host("cisco_wsa11_7" type(glob))
+};
 filter f_cisco_nx_os {
     host("csconx-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
@@ -80,9 +86,3 @@ filter f_tzfixny {
     host("tzfny-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
-filter f_cisco_wsa{
-    host("cisco_wsa" type(glob))
-};
-filter f_cisco_wsa11_7{
-    host("cisco_wsa11_7" type(glob))
-};
diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example
@@ -2,6 +2,8 @@ f_test_test,sc4s_vendor_product,"test_test"
 f_brocade_syslog,sc4s_vendor_product,"brocade_syslog"
 f_null_queue,sc4s_vendor_product,"null_queue"
 f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
+f_cisco_wsa,sc4s_vendor_product,"cisco_wsa"
+f_cisco_wsa11_7,sc4s_vendor_product,"cisco_wsa11_7"
 f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
 f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid"
 f_f5_bigip,sc4s_vendor_product,"f5_bigip"
@@ -17,6 +19,4 @@ f_proofpoint_pps_filter,sc4s_vendor_product,"proofpoint_pps_filter"
 f_schneider_apc,sc4s_vendor_product,"schneider_apc"
 f_ubiquiti_unifi_fw,sc4s_vendor_product,"ubiquiti_unifi_fw"
 f_tzfixhst,sc4s_time_zone,"Pacific/Honolulu"
-f_tzfixny,sc4s_time_zone,"America/New_York"
-f_cisco_wsa,sc4s_vendor_product,"cisco_wsa"
-f_cisco_wsa11_7,sc4s_vendor_product,"cisco_wsa11_7"
+f_tzfixny,sc4s_time_zone,"America/New_York"