Splunk Search

How can I extract the same date/time consistently from Cisco ISE logs with different date and time stamp formats?

jwalzerpitt
Influencer

Having an issue searching Cisco ISE logs in Hunk where values I know exist in the events/logs (independently verified via a Hive query) are not being returned for the same search in Hunk and I think it has to do with date and time stamps.

Digging into Cisco ISE logs, there are times when the year/month/day is written in the logs, such as:

Feb 25 08:59:15 ip_address CISE_Passed_Authentications 0014349929 6 0 2016-02-25 08:59:15.229 -05:00 0903028144 5200 NOTICE Passed-Authentication: Authentication succeeded, etc...

and times where just the Month/Date/Time, but no year are written, such as:

Feb 25 08:59:15 ip_address CISE_Passed_Authentications 0014349929 6 1 AcsSessionID=fqdr-ise-psn-02/245099027/15292147, etc...

How can I extract the same date/time consistently regardless of the log format?

Thx

0 Karma

rdagan_splunk
Splunk Employee
Splunk Employee

Overall this issue will be identical to both Splunk and Hunk.
Few options:
1) Do nothing. Splunk will try to pick the right timestamp on the fly from within the event. But this option is not perfect since caching may be involved.

2) If you can, separate the different type of events into different type of logs, and put them into different locations in HDFS.
3) I am not sure if there is a way to write a Regex that pick one timestamp or the other ..

0 Karma

jwalzerpitt
Influencer

Thx for the reply and information

If I'm able to separate the different types of events into different logs, can I then force a year onto the date/time stamp for the events that only have Month & Day?

0 Karma

jwalzerpitt
Influencer

In addition, I'm unable to consistently run timechart span=x against the Cisco ISE VIX, where as I can run timechart span=x against other VIXes with no problem

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...