All Apps and Add-ons

Events not breaking at timestamp - Cisco Networks App

josefa
Path Finder

Hello,

Have a question. I had my cisco logs indexed as sourcetype=syslog, coming from a syslog and sent to Splunk with a forwarder. I then installed the Cisco Networks App and change the sourcetype of this logs to cisco:ios but I've noticed there are some events which are mixed in one same event (no event-breaking at timestamp as usual)

Are there some considerations I should take in regards of props.conf in the App, as I'm receiving logs from a forwarder and not the devices themselves?

Attached some images of what I'm seeing in Splunk. first image how the event looks like (9 cisco events in 1 splunk event) and the second image, where, after the first device hostname it tooks everything as the device_time
Event

Logs being taken as device_time

Any help is much appreciated.

0 Karma

mikaelbje
Motivator

Haven't seen this before and I have a lot of installations using either direct UDP syslog to Splunk or logging to a syslog daemon with a Universal Forwarder shipping the logs to indexers.

You may need to set up a LINE_BREAKER rule along with SHOULD_LINEMERGE=false in props.conf on your indexers/Heavy Forwarders.

0 Karma

josefa
Path Finder

Thanks for your answer, could you tell me how would be the configs in props.conf for the Universal forwarder case? That is how I'm sending the logs to the indexer

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you using the heavy forwarder to get data from syslog?

0 Karma

josefa
Path Finder

Universal forwarding.

I send the device's logs to a file in a syslog /var/log/ciscologs.log and monitor that file with the Universal forwarder, in inputs.conf

[monitor:///var/log/ciscologs.logs]
index=index

0 Karma

mikaelbje
Motivator

Try setting

sourcetype = syslog

In your monitor stanza

0 Karma

lqiao2
Path Finder

I think also that setting sourcetype = syslog is the right solution and make sure that the Cisco Network Add-on is installed on the indexers/search-heads.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...