Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What could be causing my ISE logs to split up and get miscategorized

lacrosse1991
Explorer
‎06-06-2017 06:38 AM

Hello,

I recently noticed that a small amount of ISE logs each day were getting split up. In order to remedy this, I adjusted the maximum log length on the ISE nodes to 1400 (it had previously been set to 1024). I thought this would at least make a little bit of a difference, but it does not appear to have improved at all. Is there anything else that I can change or check to help remedy this issue?

An example of the logs can be found below. Notice how one event has a sourcetype of cisco:ise:syslog, while the other event has a generic sourcetype of syslog and is missing a timestamp

alt text

Preview file
24 KB
0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎06-06-2017 04:06 PM

@lacrosse1991 It may be happenng because Splunk sees a timestamp further into the event on the field "ScheduledAt". By default we look 150 into the event for a timestamp. If that is the case you can set the following in props.conf on your indexer for this sourcetype to reduce how many characters Splunk looks into the event for the timestamp.

$SPLUNK_HOME/etc/system/local/props.conf
[cisco:ise:syslog]
MAX_TIMESTAMP_LOOKAHEAD = 20

If you still see the issue you can use LINE_BREAKER in props.conf

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

0 Karma
Reply

lacrosse1991
Explorer
‎06-07-2017 05:44 AM

for this to work, would I need to have the sourcetype for my input manually set to cisco:ise:syslog? I'm unfortunately still getting the same behavior. Thought I would check on the sourcetype part before I move forward with trying the line_breaker function.

0 Karma
Reply

lacrosse1991
Explorer
‎06-06-2017 05:00 PM

thanks! I'm going to pop in the lookahead part right now and will see what happens, I'll report back tmw

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...