Hi Team,

We also had installed Cisco ISE add-on on our Heavy Forwarder earlier and getting ISE events in proper format.

We are using Splunk SIEM tool and recently installed Cisco ISE App on Splunk Search Head and Indexers for visualizing pre-defined dashboard.

PFB link for reference:

Download Splunk for Cisco Identity Services (ISE)

https://splunkbase.splunk.com/app/1589/

Download Splunk Add-on for Cisco Identity Services

https://splunkbase.splunk.com/app/1915/

The moment we installed Cisco ISE app on Splunk search head and indexers, Splunk started to reject all the events due to below error:

10-21-2019 17:05:13.814 +0000 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="/logdata01/logs/cisco/ise/isesvr01/2019-10-21-cisco-ise.log", data_host="isesvr01", data_sourcetype="cisco:ise:syslog"

Also we tried to find the solution for above error with following link:
https://answers.splunk.com/answers/526680/splunk-ise-ta-fails-when-distributed-via-cluster-m.html

But it is yet to answer of this question on Splunk answer support.

Then I had a word with Splunk support team and when they looked at this app config. They could have fixed it but they were not sure after fixing this issue, it won't create more problems. Since it was production environment, we simply uninstalled this app.

Did anyone face this issue in your environment?

Thanks in advance.

Regards,

Tejas