Hello,
I recently noticed that a small amount of ISE logs each day were getting split up. In order to remedy this, I adjusted the maximum log length on the ISE nodes to 1400 (it had previously been set to 1024). I thought this would at least make a little bit of a difference, but it does not appear to have improved at all. Is there anything else that I can change or check to help remedy this issue?
An example of the logs can be found below. Notice how one event has a sourcetype of cisco:ise:syslog, while the other event has a generic sourcetype of syslog and is missing a timestamp
@lacrosse1991 It may be happenng because Splunk sees a timestamp further into the event on the field "ScheduledAt". By default we look 150 into the event for a timestamp. If that is the case you can set the following in props.conf on your indexer for this sourcetype to reduce how many characters Splunk looks into the event for the timestamp.
$SPLUNK_HOME/etc/system/local/props.conf
[cisco:ise:syslog]
MAX_TIMESTAMP_LOOKAHEAD = 20
If you still see the issue you can use LINE_BREAKER in props.conf
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf
for this to work, would I need to have the sourcetype for my input manually set to cisco:ise:syslog? I'm unfortunately still getting the same behavior. Thought I would check on the sourcetype part before I move forward with trying the line_breaker function.
thanks! I'm going to pop in the lookahead part right now and will see what happens, I'll report back tmw