Been testing to get a ISE-Splunk successful authentication report and trying this but the "Calling-Station-ID" is not displaying in table, I can see it exist.
index=network eventtype=cisco-ise CISE_RADIUS_Accounting host=ISEnode1 OR | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime Calling-Station-ID
Any help out there? I new with this Splunk search
Or anyone got a sample Splunk ISE Authentication report?
TIA
Hi @redrobish1,
Field name should by Calling_Station_ID. Please try below;
index=network eventtype=cisco-ise CISE_RADIUS_Accounting host=ISEnode1 OR | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime Calling_Station_ID
thanks scelikok, it does display now but somehow the results are too low. Any chance you got any sample reporting for ISE-Splunk (successful client report)? thanks again?
Hi @redrobish1,
Field name should by Calling_Station_ID. Please try below;
index=network eventtype=cisco-ise CISE_RADIUS_Accounting host=ISEnode1 OR | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime Calling_Station_ID