The problem with the null field value is not just a problem for the TA, but a bigger problem with ingesting the logs over the network.
The null character causes syslog or whatever network listener you are using to mark the end of the payload, the rest of the message is considered the start of a new message.
The "Splunk" workaround is to use LINE_BREAKER and EVENT_BREAKER and set them both to something similar to:
matches: <181>Dec 11 12:07:18 hostname CISE_RADIUS_Accounting 0007734788 1 0
where the first part is the syslog priority and the date/time stamp (yours could be different), but this pattern defines the start of a new event and will ignore the nulls that have been written to the file as newlines. The events will look a little ugly, but at least all the fields will be in one event.
This also will re-assemble the multi-part messages that are sent by ISE at index time.
This WILL NOT WORK if you are doing any sort of load-balancing of your syslog servers that might cause the different parts of the multi-part message to be logged to different servers, in those cases you will have to assemble the parts at search time.
... View more
The QnD version expects a field called MacAddress in your syslog data. If the name is different, you can add a | rename MacAddress AS yourotherfieldname after the | fields MacAddress to make the field names match up.
... View more