All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Cisco IPS - multiple events for single event

agarwalv
Engager
‎05-24-2011 02:01 PM

Hello,
I noticed with the latest version of the app "Splunk for Cisco IPS" that events from my IPS are being displayed multiple times when i query a specific event in a given time frame.
I checked the sdee log on the splunk server; there is a single entry for the event in question, but when i query the same event, it is listed over an 100 times in a span of an hour.

Looks like splunk continues to read the log and display same messages again.

Tags (1)
Reply

Michael_Wilde
Splunk Employee
Splunk Employee
‎08-30-2011 07:45 AM

do you / did you by chance have the UNIX app installed at the time?

0 Karma
Reply

dingdj
Explorer
‎06-06-2011 03:10 PM

  1. Please make sure your inputs.conf have crcSalt and followTail=1

  2. Because the log entry can be very long, make sure the line breaks are correctly done. I used this line in my props.conf file to define the line breaks:

     BREAK_ONLY_BEFORE =  ^\d{15,}\s+[a-zA-Z](?:[_-]?\w)*="\d{15,}

Good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...