Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What could be causing my ISE logs to split up and get miscategorized

lacrosse1991
Explorer
‎06-06-2017 06:38 AM

Hello,

I recently noticed that a small amount of ISE logs each day were getting split up. In order to remedy this, I adjusted the maximum log length on the ISE nodes to 1400 (it had previously been set to 1024). I thought this would at least make a little bit of a difference, but it does not appear to have improved at all. Is there anything else that I can change or check to help remedy this issue?

An example of the logs can be found below. Notice how one event has a sourcetype of cisco:ise:syslog, while the other event has a generic sourcetype of syslog and is missing a timestamp

alt text

Preview file
1 KB
0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎06-06-2017 04:06 PM

@lacrosse1991 It may be happenng because Splunk sees a timestamp further into the event on the field "ScheduledAt". By default we look 150 into the event for a timestamp. If that is the case you can set the following in props.conf on your indexer for this sourcetype to reduce how many characters Splunk looks into the event for the timestamp.

$SPLUNK_HOME/etc/system/local/props.conf
[cisco:ise:syslog]
MAX_TIMESTAMP_LOOKAHEAD = 20

If you still see the issue you can use LINE_BREAKER in props.conf

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

0 Karma
Reply

lacrosse1991
Explorer
‎06-07-2017 05:44 AM

for this to work, would I need to have the sourcetype for my input manually set to cisco:ise:syslog? I'm unfortunately still getting the same behavior. Thought I would check on the sourcetype part before I move forward with trying the line_breaker function.

0 Karma
Reply

lacrosse1991
Explorer
‎06-06-2017 05:00 PM

thanks! I'm going to pop in the lookahead part right now and will see what happens, I'll report back tmw

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...