All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Cisco IPS

djames
New Member
‎05-16-2011 07:26 AM

When I run | search index="_internal" sourcetype="sdee_connection" I get the following error: 

Mon May 16 10:20:10 2011 - ERROR - Exception thrown while parsing SDEE payload: Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 74, in run
    alert_obj_list = idsmxml.parse_alerts( result_xml )
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 240, in parse_alerts
    alert_obj = build_global(alert)
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 136, in build_global
    alert.appname = node.getElementsByTagName('sd:originator')[0].getElementsByTagName('cid:appName')[0].firstChild.wholeText
IndexError: list index out of range
0 Karma
Reply

troywollenslege
Path Finder
‎02-03-2012 11:02 AM

our splunkd.log
failed to parse timestamp for event. context="source::c:\Splunk_CiscoIPS\bin\get_ips_feed.py", line 74 in run...
Failed to parse timestamp for event. Context="soruce::c:\var\log\sdee_get.log|host::ciscohost|sdee_get-too_small|" Text="
failed to parse timestamp for event.
context="source::c:\Splunk_CiscoIPS\bin\pysdee\idsmxml.py", line 243, in parse_..."

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎05-16-2011 01:35 PM

whats in your splunkd.log? It should have some messages in it which are relevant to the collection of these logs via the scripted input. I know there are people who have this configuration working out there.

0 Karma
Reply

djames
New Member
‎05-16-2011 12:51 PM

Has anyone ever got this to work? I am trying to see the IPS alerts from my Cisco ISR router running the IOS IPS feature set. I run on the router sh ip sdee sub and can see that the router is sending the sdee alerts to the splunk server. I am running the latest splunk on a 64bit Ubuntu server. But other than that, absolutely nothing on the real time IPS Dashboard.

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎05-16-2011 09:11 AM

There was an error around this particular 'list index out of range' error that was resolved in 4.2.1, SPL-38100. If you haven't already, it may be a good idea to update the product to see if that resolves this problem.

0 Karma
Reply

troywollenslege
Path Finder
‎02-03-2012 10:56 AM

We are getting the same error. Running on 4.2.5 windows forwarder (with forwarder license)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...