Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What could be causing my ISE logs to split up and get miscategorized

lacrosse1991
Explorer
‎06-06-2017 06:38 AM

Hello,

I recently noticed that a small amount of ISE logs each day were getting split up. In order to remedy this, I adjusted the maximum log length on the ISE nodes to 1400 (it had previously been set to 1024). I thought this would at least make a little bit of a difference, but it does not appear to have improved at all. Is there anything else that I can change or check to help remedy this issue?

An example of the logs can be found below. Notice how one event has a sourcetype of cisco:ise:syslog, while the other event has a generic sourcetype of syslog and is missing a timestamp

alt text

Preview file
24 KB
0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎06-06-2017 04:06 PM

@lacrosse1991 It may be happenng because Splunk sees a timestamp further into the event on the field "ScheduledAt". By default we look 150 into the event for a timestamp. If that is the case you can set the following in props.conf on your indexer for this sourcetype to reduce how many characters Splunk looks into the event for the timestamp.

$SPLUNK_HOME/etc/system/local/props.conf
[cisco:ise:syslog]
MAX_TIMESTAMP_LOOKAHEAD = 20

If you still see the issue you can use LINE_BREAKER in props.conf

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

0 Karma
Reply

lacrosse1991
Explorer
‎06-07-2017 05:44 AM

for this to work, would I need to have the sourcetype for my input manually set to cisco:ise:syslog? I'm unfortunately still getting the same behavior. Thought I would check on the sourcetype part before I move forward with trying the line_breaker function.

0 Karma
Reply

lacrosse1991
Explorer
‎06-06-2017 05:00 PM

thanks! I'm going to pop in the lookahead part right now and will see what happens, I'll report back tmw

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...