All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Cisco IPS

djames
New Member
‎05-16-2011 07:26 AM

When I run | search index="_internal" sourcetype="sdee_connection" I get the following error: 

Mon May 16 10:20:10 2011 - ERROR - Exception thrown while parsing SDEE payload: Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 74, in run
    alert_obj_list = idsmxml.parse_alerts( result_xml )
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 240, in parse_alerts
    alert_obj = build_global(alert)
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 136, in build_global
    alert.appname = node.getElementsByTagName('sd:originator')[0].getElementsByTagName('cid:appName')[0].firstChild.wholeText
IndexError: list index out of range
0 Karma
Reply

troywollenslege
Path Finder
‎02-03-2012 11:02 AM

our splunkd.log
failed to parse timestamp for event. context="source::c:\Splunk_CiscoIPS\bin\get_ips_feed.py", line 74 in run...
Failed to parse timestamp for event. Context="soruce::c:\var\log\sdee_get.log|host::ciscohost|sdee_get-too_small|" Text="
failed to parse timestamp for event.
context="source::c:\Splunk_CiscoIPS\bin\pysdee\idsmxml.py", line 243, in parse_..."

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎05-16-2011 01:35 PM

whats in your splunkd.log? It should have some messages in it which are relevant to the collection of these logs via the scripted input. I know there are people who have this configuration working out there.

0 Karma
Reply

djames
New Member
‎05-16-2011 12:51 PM

Has anyone ever got this to work? I am trying to see the IPS alerts from my Cisco ISR router running the IOS IPS feature set. I run on the router sh ip sdee sub and can see that the router is sending the sdee alerts to the splunk server. I am running the latest splunk on a 64bit Ubuntu server. But other than that, absolutely nothing on the real time IPS Dashboard.

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎05-16-2011 09:11 AM

There was an error around this particular 'list index out of range' error that was resolved in 4.2.1, SPL-38100. If you haven't already, it may be a good idea to update the product to see if that resolves this problem.

0 Karma
Reply

troywollenslege
Path Finder
‎02-03-2012 10:56 AM

We are getting the same error. Running on 4.2.5 windows forwarder (with forwarder license)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...