All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Events not breaking at timestamp - Cisco Networks App

josefa
Path Finder
‎03-11-2016 02:27 PM

Hello,

Have a question. I had my cisco logs indexed as sourcetype=syslog, coming from a syslog and sent to Splunk with a forwarder. I then installed the Cisco Networks App and change the sourcetype of this logs to cisco:ios but I've noticed there are some events which are mixed in one same event (no event-breaking at timestamp as usual)

Are there some considerations I should take in regards of props.conf in the App, as I'm receiving logs from a forwarder and not the devices themselves?

Attached some images of what I'm seeing in Splunk. first image how the event looks like (9 cisco events in 1 splunk event) and the second image, where, after the first device hostname it tooks everything as the device_time
Event

Logs being taken as device_time

Any help is much appreciated.

Preview file
59 KB
Preview file
63 KB
0 Karma
Reply

mikaelbje
Motivator
‎03-15-2016 02:54 AM

Haven't seen this before and I have a lot of installations using either direct UDP syslog to Splunk or logging to a syslog daemon with a Universal Forwarder shipping the logs to indexers.

You may need to set up a LINE_BREAKER rule along with SHOULD_LINEMERGE=false in props.conf on your indexers/Heavy Forwarders.

0 Karma
Reply

josefa
Path Finder
‎04-28-2016 02:06 PM

Thanks for your answer, could you tell me how would be the configs in props.conf for the Universal forwarder case? That is how I'm sending the logs to the indexer

0 Karma
Reply

somesoni2
Revered Legend
‎03-11-2016 02:43 PM

Are you using the heavy forwarder to get data from syslog?

0 Karma
Reply

josefa
Path Finder
‎04-28-2016 02:04 PM

Universal forwarding.

I send the device's logs to a file in a syslog /var/log/ciscologs.log and monitor that file with the Universal forwarder, in inputs.conf

[monitor:///var/log/ciscologs.logs]
index=index

0 Karma
Reply

mikaelbje
Motivator
‎04-28-2016 10:35 PM

Try setting

sourcetype = syslog

In your monitor stanza

0 Karma
Reply

lqiao2
Path Finder
‎08-28-2018 07:03 AM

I think also that setting sourcetype = syslog is the right solution and make sure that the Cisco Network Add-on is installed on the indexers/search-heads.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...