hi experts, I'm new to Splunk and have existing Splunk (syslog). I can get all the data into it but wanted to generate a report showing the Users successful authentication.  We got 2 SSID via ISE (enterprise deployment where we got node in DMZ and intranet) - 1) Guest - open/web redirection 2) Staff - with WPA2/Auth(802.1X). I played around with it and somehow I'm getting the correct report I need for Guest but the issue is I'm only getting only failed auth in Staff.

Does anyone there who have done this before? any tips/ideas? TIA

worked for Guest:

index=network sourcetype=cisco:ise:syslog Authentication succeeded* |table EndPointMACAddress,UserName,Address,ISEPolicySetName |dedup EndPointMACAddress

Not working for Staff:

index=network sourcetype=cisco:ise:syslog Authentication succeeded* |table EndPointMACAddress,UserName,Address,ISEPolicySetName |dedup EndPointMACAddress