Hello
I have Splunk Cisco IPS version 1.0.4 . It was working fine when i installed Splunk Cisco Security Suite version 1.0 . After upgrading to version 1.0.1, IPS app stopped stopped displaying logs from the sensor i added. Any idea what should i do to solve this problem?
Thanks,
You could check field extractions in new Splunk Cisco Security Suite. There is a field "context" being added which is not extracted by Splunk Cisco IPS version 1.0.4. So, you either have a choice to delete this field from inline search in "ips_overview" view and disable appropriate panel in the dashboard, or to extract this field from your current IPS logs (if you have this field).
Can you check the content of $SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log ? and see if the scripted input is still working properly to pull data from your IPS.