Archive

Splunk for Cisco IPS - multiple events for single event

Engager

Hello,
I noticed with the latest version of the app "Splunk for Cisco IPS" that events from my IPS are being displayed multiple times when i query a specific event in a given time frame.
I checked the sdee log on the splunk server; there is a single entry for the event in question, but when i query the same event, it is listed over an 100 times in a span of an hour.

Looks like splunk continues to read the log and display same messages again.

Tags (1)

Splunk Employee
Splunk Employee

do you / did you by chance have the UNIX app installed at the time?

0 Karma

Explorer
  1. Please make sure your inputs.conf have crcSalt and followTail=1

  2. Because the log entry can be very long, make sure the line breaks are correctly done. I used this line in my props.conf file to define the line breaks:

     BREAK_ONLY_BEFORE =  ^\d{15,}\s+[a-zA-Z](?:[_-]?\w)*="\d{15,} 

Good luck!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!