All Apps and Add-ons

"Device Port" and "Port" incorrectly extracted in CSCOacs_Failed_Attempts type messages in TA for Cisco ACS

pvarelab
Path Finder

The "Device Port" and "Port" fields are incorrectly extracted in messages of the CSCOacs_Failed_Attempts kind in the Technology Add-on for Cisco Secure Access Control Server (ACS).

I have been able to solve it by adding the following to props.conf:

 

EXTRACT-acs_device_port = ,\s+Device\s+Port=(?<Device_Port>[^,]+)
EXTRACT-acs_port = ,\s+Port=(?<Port>[^,]+)

 

Has anyone had the same problem? Any other ideas?

@dshpritzCould you see if this fix could be included in a future versión of the App, please? Thanks!

Labels (2)
1 Solution

dshpritz
SplunkTrust
SplunkTrust

Added and uploaded to Splunkbase. Not sure how soon it will be visible.

View solution in original post

0 Karma

dshpritz
SplunkTrust
SplunkTrust

I added an issue to the github repo to cover this:

https://github.com/automine/TA-cisco_acs/issues/1

 

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Added and uploaded to Splunkbase. Not sure how soon it will be visible.

0 Karma

pvarelab
Path Finder

It's already visible. Many thanks!

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...