https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337081#M62227 <P>thanks! I'm going to pop in the lookahead part right now and will see what happens, I'll report back tmw</P> Wed, 07 Jun 2017 00:00:21 GMT lacrosse1991 2017-06-07T00:00:21Z https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337079#M62225 <P>Hello,</P> <P>I recently noticed that a small amount of ISE logs each day were getting split up. In order to remedy this, I adjusted the maximum log length on the ISE nodes to 1400 (it had previously been set to 1024). I thought this would at least make a little bit of a difference, but it does not appear to have improved at all. Is there anything else that I can change or check to help remedy this issue? </P> <P>An example of the logs can be found below. Notice how one event has a sourcetype of cisco:ise:syslog, while the other event has a generic sourcetype of syslog and is missing a timestamp</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3038i08AFC4135B37E099/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 06 Jun 2017 13:38:56 GMT https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337079#M62225 lacrosse1991 2017-06-06T13:38:56Z https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337080#M62226 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/39580">@lacrosse1991</a> It may be happenng because Splunk sees a timestamp further into the event on the field "ScheduledAt". By default we look 150 into the event for a timestamp. If that is the case you can set the following in props.conf on your indexer for this sourcetype to reduce how many characters Splunk looks into the event for the timestamp.</P> <P>$SPLUNK_HOME/etc/system/local/props.conf<BR /> [cisco:ise:syslog]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 20</P> <P>If you still see the issue you can use LINE_BREAKER in props.conf</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf</A></P> Tue, 29 Sep 2020 14:23:25 GMT https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337080#M62226 rphillips_splk 2020-09-29T14:23:25Z https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337081#M62227 <P>thanks! I'm going to pop in the lookahead part right now and will see what happens, I'll report back tmw</P> Wed, 07 Jun 2017 00:00:21 GMT https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337081#M62227 lacrosse1991 2017-06-07T00:00:21Z https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337082#M62228 <P>for this to work, would I need to have the sourcetype for my input manually set to cisco:ise:syslog? I'm unfortunately still getting the same behavior. Thought I would check on the sourcetype part before I move forward with trying the line_breaker function. </P> Wed, 07 Jun 2017 12:44:19 GMT https://community.splunk.com/t5/Getting-Data-In/What-could-be-causing-my-ISE-logs-to-split-up-and-get/m-p/337082#M62228 lacrosse1991 2017-06-07T12:44:19Z