All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk for Cisco IPS - multiple events for single event

agarwalv
Engager
‎05-24-2011 02:01 PM

Hello,
I noticed with the latest version of the app "Splunk for Cisco IPS" that events from my IPS are being displayed multiple times when i query a specific event in a given time frame.
I checked the sdee log on the splunk server; there is a single entry for the event in question, but when i query the same event, it is listed over an 100 times in a span of an hour.

Looks like splunk continues to read the log and display same messages again.

Tags (1)
Reply

Michael_Wilde
Splunk Employee
Splunk Employee
‎08-30-2011 07:45 AM

do you / did you by chance have the UNIX app installed at the time?

0 Karma
Reply

dingdj
Explorer
‎06-06-2011 03:10 PM

  1. Please make sure your inputs.conf have crcSalt and followTail=1

  2. Because the log entry can be very long, make sure the line breaks are correctly done. I used this line in my props.conf file to define the line breaks:

     BREAK_ONLY_BEFORE =  ^\d{15,}\s+[a-zA-Z](?:[_-]?\w)*="\d{15,}

Good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...