All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Cisco IPS - multiple events for single event

agarwalv
Engager
‎05-24-2011 02:01 PM

Hello,
I noticed with the latest version of the app "Splunk for Cisco IPS" that events from my IPS are being displayed multiple times when i query a specific event in a given time frame.
I checked the sdee log on the splunk server; there is a single entry for the event in question, but when i query the same event, it is listed over an 100 times in a span of an hour.

Looks like splunk continues to read the log and display same messages again.

Tags (1)
Reply

Michael_Wilde
Splunk Employee
Splunk Employee
‎08-30-2011 07:45 AM

do you / did you by chance have the UNIX app installed at the time?

0 Karma
Reply

dingdj
Explorer
‎06-06-2011 03:10 PM

  1. Please make sure your inputs.conf have crcSalt and followTail=1

  2. Because the log entry can be very long, make sure the line breaks are correctly done. I used this line in my props.conf file to define the line breaks:

     BREAK_ONLY_BEFORE =  ^\d{15,}\s+[a-zA-Z](?:[_-]?\w)*="\d{15,}

Good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...