Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I extract the same date/time consistently from Cisco ISE logs with different date and time stamp formats?

jwalzerpitt
Influencer
‎02-25-2016 07:05 AM

Having an issue searching Cisco ISE logs in Hunk where values I know exist in the events/logs (independently verified via a Hive query) are not being returned for the same search in Hunk and I think it has to do with date and time stamps.

Digging into Cisco ISE logs, there are times when the year/month/day is written in the logs, such as:

Feb 25 08:59:15 ip_address CISE_Passed_Authentications 0014349929 6 0 2016-02-25 08:59:15.229 -05:00 0903028144 5200 NOTICE Passed-Authentication: Authentication succeeded, etc...

and times where just the Month/Date/Time, but no year are written, such as:

Feb 25 08:59:15 ip_address CISE_Passed_Authentications 0014349929 6 1 AcsSessionID=fqdr-ise-psn-02/245099027/15292147, etc...

How can I extract the same date/time consistently regardless of the log format?

Thx

0 Karma
Reply

rdagan_splunk
Splunk Employee
Splunk Employee
‎02-26-2016 02:41 PM

Overall this issue will be identical to both Splunk and Hunk.
Few options:
1) Do nothing. Splunk will try to pick the right timestamp on the fly from within the event. But this option is not perfect since caching may be involved.

2) If you can, separate the different type of events into different type of logs, and put them into different locations in HDFS.
3) I am not sure if there is a way to write a Regex that pick one timestamp or the other ..

0 Karma
Reply

jwalzerpitt
Influencer
‎02-27-2016 06:36 PM

Thx for the reply and information

If I'm able to separate the different types of events into different logs, can I then force a year onto the date/time stamp for the events that only have Month & Day?

0 Karma
Reply

jwalzerpitt
Influencer
‎02-25-2016 07:12 AM

In addition, I'm unable to consistently run timechart span=x against the Cisco ISE VIX, where as I can run timechart span=x against other VIXes with no problem

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...