All Apps and Add-ons

Splunk for Cisco IPS - multiple events for single event

agarwalv
Engager

Hello,
I noticed with the latest version of the app "Splunk for Cisco IPS" that events from my IPS are being displayed multiple times when i query a specific event in a given time frame.
I checked the sdee log on the splunk server; there is a single entry for the event in question, but when i query the same event, it is listed over an 100 times in a span of an hour.

Looks like splunk continues to read the log and display same messages again.

Tags (1)

Michael_Wilde
Splunk Employee
Splunk Employee

do you / did you by chance have the UNIX app installed at the time?

0 Karma

dingdj
Explorer
  1. Please make sure your inputs.conf have crcSalt and followTail=1

  2. Because the log entry can be very long, make sure the line breaks are correctly done. I used this line in my props.conf file to define the line breaks:

     BREAK_ONLY_BEFORE =  ^\d{15,}\s+[a-zA-Z](?:[_-]?\w)*="\d{15,} 

Good luck!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...