Hello,
I have logs from Cisco ESA (emails) and some of them are logged in the futur. For example this log is marked "12/16/15 11:**20:30.290** PM" by Splunk but it should be "Dec 16 00:28:26".
Dec 16 00:28:26 <internal-IP> logs: Info: MID XXXXX Message-ID '<20151215232030290.BLABLA@XXXX.COM>'
As you can see, the email address contains "20:30.290" which make the timestamp wrong.
To block this behavior, I tried to setup MAX_TIMESTAMP_LOOKAHEAD to 16 or 19 but it seems that Splunk keeps reading the whole log because for the above example, I have this field: timeendpos = 82 (it stops after 20151215232030290)
My props.conf (on the indexer:)
[cisco:esa:legacy]
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 19
NO_BINARY_CHECK=true
Any idea ?
Thank you
↧