Splunk Search

How can I extract the same date/time consistently from Cisco ISE logs with different date and time stamp formats?

Motivator

Having an issue searching Cisco ISE logs in Hunk where values I know exist in the events/logs (independently verified via a Hive query) are not being returned for the same search in Hunk and I think it has to do with date and time stamps.

Digging into Cisco ISE logs, there are times when the year/month/day is written in the logs, such as:

Feb 25 08:59:15 ip_address CISE_Passed_Authentications 0014349929 6 0 2016-02-25 08:59:15.229 -05:00 0903028144 5200 NOTICE Passed-Authentication: Authentication succeeded, etc...

and times where just the Month/Date/Time, but no year are written, such as:

Feb 25 08:59:15 ip_address CISE_Passed_Authentications 0014349929 6 1 AcsSessionID=fqdr-ise-psn-02/245099027/15292147, etc...

How can I extract the same date/time consistently regardless of the log format?

Thx

0 Karma

Splunk Employee
Splunk Employee

Overall this issue will be identical to both Splunk and Hunk.
Few options:
1) Do nothing. Splunk will try to pick the right timestamp on the fly from within the event. But this option is not perfect since caching may be involved.

2) If you can, separate the different type of events into different type of logs, and put them into different locations in HDFS.
3) I am not sure if there is a way to write a Regex that pick one timestamp or the other ..

0 Karma

Motivator

Thx for the reply and information

If I'm able to separate the different types of events into different logs, can I then force a year onto the date/time stamp for the events that only have Month & Day?

0 Karma

Motivator

In addition, I'm unable to consistently run timechart span=x against the Cisco ISE VIX, where as I can run timechart span=x against other VIXes with no problem

0 Karma