Time read by Splunk is missleading

[thomasleu]

Describe the bug

The time recognition method of Splunk will detect milliseconds from the next field that is an IP.

Expected behavior

There should be no milliseconds, because the field does not contain that information.

Current behavior

From the next field which is an IP address, the first octet will be used as milliseconds of the time.

Possible solution

In the props.conf the timeformat can be written what Splunk need to interpret the time format

Steps to reproduce

Screenshots

Context

If you have 1000's of events that are done on multiple firewalls at the same second it will be missleading to handle those things in the right order.

Your Environment

• Version used:
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
• Operating System and version (desktop or mobile):
• Link to your project:

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[paulmnguyen]

Hey Thomas, Could you please provide a screen shot of the timestamp issue you are seeing? Could you also please provide me some context to your environment.

1. version of app/add-on
2. Where are logs coming from? Cortex? Firewall/Panorama?
3. Do you have syslog-ng server?