Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What could be causing my ISE logs to split up and get miscategorized

lacrosse1991
Explorer
‎06-06-2017 06:38 AM

Hello,

I recently noticed that a small amount of ISE logs each day were getting split up. In order to remedy this, I adjusted the maximum log length on the ISE nodes to 1400 (it had previously been set to 1024). I thought this would at least make a little bit of a difference, but it does not appear to have improved at all. Is there anything else that I can change or check to help remedy this issue?

An example of the logs can be found below. Notice how one event has a sourcetype of cisco:ise:syslog, while the other event has a generic sourcetype of syslog and is missing a timestamp

alt text

Preview file
24 KB
0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎06-06-2017 04:06 PM

@lacrosse1991 It may be happenng because Splunk sees a timestamp further into the event on the field "ScheduledAt". By default we look 150 into the event for a timestamp. If that is the case you can set the following in props.conf on your indexer for this sourcetype to reduce how many characters Splunk looks into the event for the timestamp.

$SPLUNK_HOME/etc/system/local/props.conf
[cisco:ise:syslog]
MAX_TIMESTAMP_LOOKAHEAD = 20

If you still see the issue you can use LINE_BREAKER in props.conf

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

0 Karma
Reply

lacrosse1991
Explorer
‎06-07-2017 05:44 AM

for this to work, would I need to have the sourcetype for my input manually set to cisco:ise:syslog? I'm unfortunately still getting the same behavior. Thought I would check on the sourcetype part before I move forward with trying the line_breaker function.

0 Karma
Reply

lacrosse1991
Explorer
‎06-06-2017 05:00 PM

thanks! I'm going to pop in the lookahead part right now and will see what happens, I'll report back tmw

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...