- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not so much a question... more of an answer.
i had a lot of log messages with slashes before the field separating commas. something like:
2015-01-05T14:47:25+00:00 acs02 CSCOacs_Passed_Authentications 0014607956 6 5 ExternalGroups=cn=my-group\,ou=Groups\,dc=my-org\,dc=com, ...
ACS version is acs-5.5.0.46-B.723. splunk 6.1.3 and TA for ACS is the latest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've added the following line to my props.conf to clean that event data from ACS logs. same trick i used from an old version of the ISE app. i'm fairly certain it's a bug / enhancement on the cisco side for both products.
[cisco:acs]
SEDCMD-clean_logs = s/\\\,/,/g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've added the following line to my props.conf to clean that event data from ACS logs. same trick i used from an old version of the ISE app. i'm fairly certain it's a bug / enhancement on the cisco side for both products.
[cisco:acs]
SEDCMD-clean_logs = s/\\\,/,/g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice work. I haven't seen this in the samples that I have. You may want to edit this question to have a a question like "How can I remove these slashes from my ACS logs?" and then answer it. That way we can upvote it and it can be marked as answered!
