Solved: How to remove slashes from ACS or ISE logs?

awurster · ‎01-04-2015

not so much a question... more of an answer.

i had a lot of log messages with slashes before the field separating commas. something like:

2015-01-05T14:47:25+00:00 acs02 CSCOacs_Passed_Authentications 0014607956 6 5  ExternalGroups=cn=my-group\,ou=Groups\,dc=my-org\,dc=com, ...

ACS version is acs-5.5.0.46-B.723. splunk 6.1.3 and TA for ACS is the latest.

awurster · ‎01-05-2015

i've added the following line to my props.conf to clean that event data from ACS logs. same trick i used from an old version of the ISE app. i'm fairly certain it's a bug / enhancement on the cisco side for both products.

[cisco:acs]
SEDCMD-clean_logs = s/\\\,/,/g

View solution in original post

awurster · ‎01-05-2015

i've added the following line to my props.conf to clean that event data from ACS logs. same trick i used from an old version of the ISE app. i'm fairly certain it's a bug / enhancement on the cisco side for both products.

[cisco:acs]
SEDCMD-clean_logs = s/\\\,/,/g

dshpritz · ‎01-05-2015

Nice work. I haven't seen this in the samples that I have. You may want to edit this question to have a a question like "How can I remove these slashes from my ACS logs?" and then answer it. That way we can upvote it and it can be marked as answered!

How to remove slashes from ACS or ISE logs?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...