All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing fields from Cisco ISE evens

DomenicoFumarol
Explorer
‎02-13-2018 01:50 AM

Hi All,
we deployed our Cisco ISE App, as well as the Add-On, following the installation guide but most of our dashboards are empty.
Looking at some searches like:

eventtype=cisco-ise-profiler
| stats count by EndpointMatchedPolicy EndpointMacAddress EndpointIPAddress NAS_Port_Id NAS_Port_Type DeviceRegistrationStatus
|format_field_names

we see that fields fields like NAS_Port_Id, NAS_Port_Type and DeviceRegistrationStatus don't exist in the events when we filter by eventtype=cisco-ise-profiler.

Is there anyone else experiencing the same?

Logs are sent directly via Syslog from ISE ( version 2.2.0.470) to our UF.

0 Karma
Reply

stboch
SplunkTrust
SplunkTrust
‎02-15-2018 08:33 AM

You probably might be the length issue with cisco's default syslog configuration.

Have your ISE administrator verify the maximum length settings. It should be set to 8192.
The other way to tell via the log is the numbering prior to the time. Example below.

CISE_Profiler 0006602215 1 0 2018-02-15 11:27:10.946

The number 1 means syslog 1 message the second number 0 means this is message id 0 (#1) counting from 0 if you see 3 1 this is likely the issue where the maximum length wasn't increased and splunk is receiving the messages broken into several messages.

http://docs.splunk.com/Documentation/AddOns/released/CiscoISE/ConfigureCiscoISEsystemlogging

Maximum Length 8192 Events will be broken if you use a smaller value.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...