Having an issue searching Cisco ISE logs in Hunk where values I know exist in the events/logs (independently verified via a Hive query) are not being returned for the same search in Hunk and I think it has to do with date and time stamps.
Digging into Cisco ISE logs, there are times when the year/month/day is written in the logs, such as:
Overall this issue will be identical to both Splunk and Hunk.
1) Do nothing. Splunk will try to pick the right timestamp on the fly from within the event. But this option is not perfect since caching may be involved.
2) If you can, separate the different type of events into different type of logs, and put them into different locations in HDFS.
3) I am not sure if there is a way to write a Regex that pick one timestamp or the other ..