Cisco catalyst testdata fix (demisto#32019)

* Modified the parsing rule to support timestamp without a year

* Added release note

Packs/CiscoCatalyst/ParsingRules/CiscoCatalyst/CiscoCatalyst.xif

@@ -1,13 +1,22 @@
 [INGEST:vendor="cisco", product="catalyst", target_dataset="cisco_catalyst_raw", no_hit = keep]
 filter _raw_log ~= "[A-Za-z]+\s+\d+\s+\d{4}\s+\d+\:\d+\:\d+\sUTC" or _raw_log ~= "[A-Za-z]+\s+\d+\s+\d+\:\d+\:\d+\.\d+\sUTC"
-//supported format May 16 2023 14:30:00 UTC
+// supported format May 16 2023 14:30:00 UTC
 | alter tmp_time_string1 = arrayindex(regextract(_raw_log ,"(\w+\s\d+\s\d+\s\d+\:\d+\:\d+)\sUTC"),0)
-| alter tmp_time1 = parse_timestamp("%b %d %Y %H:%M:%S",tmp_time_string1 )
-//supported format May  2 09:47:18.714 UTC
-| alter tmp_time_string2 = arrayindex(regextract(_raw_log, "\w+\s+(\d+\s\d+\:\d+\:\d+)\.\d+\sUTC"),0),
-    tmp_month_string2 = arrayindex(regextract(_raw_log, "(\w+)\s+\d+\s\d+\:\d+\:\d+\.\d+\sUTC"),0),
-    tmp_Year = format_timestamp("%Y",_insert_time)
-| alter tmp_time_concat2 = concat(tmp_month_string2, " ", tmp_time_string2, " ", tmp_Year)
-| alter tmp_time2 = parse_timestamp("%b %d %H:%M:%S %Y",to_string(tmp_time_concat2) )
-| alter _time = coalesce(tmp_time1, tmp_time2 )
-| fields -tmp_time_string1, tmp_time1, tmp_time_string2, tmp_time2 , tmp_time_concat2 , tmp_Year ;
+| alter tmp_time_with_year = parse_timestamp("%b %d %Y %H:%M:%S",tmp_time_string1 )
+// supported format May  2 09:47:18.714 UTC
+| alter
+        tmp_time_without_year = arraystring(regextract( _raw_log, "(\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2}\.\d+\s)UTC"), ""),
+        tmp_year = to_string(format_timestamp("%Y",current_time()))
+| alter
+        tmp_time_format2 = if(tmp_time_without_year != null and tmp_time_without_year != "", concat(tmp_year, " ", tmp_time_without_year), null)
+| alter
+    tmp_time1_1 = parse_timestamp("%Y %b %e %H:%M:%E*S", tmp_time_format2 )
+| alter tmp_timeDiff = timestamp_diff(tmp_time1_1, current_time(), "DAY")
+// Check if the date is a future date
+| alter tmp_year2 = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_year),1)),null)
+// Create timestamp minus 1 year if the timestamp is a future one
+| alter tmp_time1_2 = if(tmp_year2 != null, concat(tmp_year2, " ", tmp_time_without_year), null)
+| alter tmp_time1_2 = if(tmp_time1_2 != null, parse_timestamp("%Y %b %e %H:%M:%E*S", tmp_time1_2 ),null)
+| alter tmp_time_without_year = coalesce(tmp_time1_2, tmp_time1_1)
+| alter _time = coalesce(tmp_time_with_year, tmp_time_without_year)
+| fields -tmp_time_string1, tmp_time_with_year, tmp_time2 , tmp_time_concat2 , tmp_year, tmp_year2, tmp_time_without_year, tmp_time_format2, tmp_timeDiff, tmp_time1_1, tmp_time1_2;

Packs/CiscoCatalyst/ReleaseNotes/1_0_4.md

@@ -0,0 +1,3 @@
+#### Parsing Rules
+##### CiscoCatalyst Parsing Rule
+Improved implementation of parsing rule.

Packs/CiscoCatalyst/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cisco Catalyst",
     "description": "Cisco Catalyst switch",
     "support": "xsoar",
-    "currentVersion": "1.0.3",
+    "currentVersion": "1.0.4",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",