Fix/XSUP-69940/FortiManager parsing rule

[MosheEichler]

Status

• In Progress
• Ready
• In Hold - (Reason for hold)

Related Issues

https://jira-dc.paloaltonetworks.com/browse/XSUP-69940

Description

Root Cause:

The parsing rule in FortiManager.xif used a generic regex regextract(_raw_log, "\d{2}:\d{2}:\d{2}") to extract the time component, which grabbed the first HH:MM:SS pattern found anywhere in the raw log — not necessarily the time= field. This caused the wrong timestamp (or the ingestion time fallback) to be stored in _time.

Fix applied in FortiManager.xif:

Changed the filter to specifically match date=YYYY-MM-DD time=HH:MM:SS tz=... key-value format
Changed tmp_date extraction to use date=(\d{4}-\d{2}-\d{2}) — anchored to the date= field
Changed tmp_time extraction to use time=(\d{2}:\d{2}:\d{2}) — anchored to the time= field
The tz= extraction was already correct and unchanged

Must have

• Tests
• Documentation

[content-bot]

🤖 AI-Powered Code Review Available

You can leverage AI-powered code review to assist with this PR!

Available Commands:

• @marketplace-ai-reviewer start review - Initiate a full AI code review
• @marketplace-ai-reviewer re-review - Incremental review for new commits

[content-bot]

⚠️ The PR is missing the ready-for-pipeline-running label. Please add the label when the PR is ready in order to proceed.

[content-bot]

🔍 AI Triage Report Available

An automated triage report has been generated for this pipeline.

Status: failed
Report ID: 873fe64d802f2363

📋 Triage Report
💡 Resolutions are available in the full report.

⚠️ AI-generated triage. Validate before acting.