cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1801
Views
0
Helpful
2
Replies

Splunk for Cisco Identity Services (ISE)

Hi Team,

 

We also had installed Cisco ISE add-on on our Heavy Forwarder earlier and getting ISE events in proper format.

 

We are using Splunk SIEM tool and recently installed Cisco ISE App on Splunk Search Head and Indexers for visualizing pre-defined dashboard.

 

PFB link for reference:

Download Splunk for Cisco Identity Services (ISE)

https://splunkbase.splunk.com/app/1589/

Download Splunk Add-on for Cisco Identity Services

https://splunkbase.splunk.com/app/1915/

 

The moment we installed Cisco ISE app on Splunk search head and indexers, Splunk started to reject all the events due to below error:

10-21-2019 17:05:13.814 +0000 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="/logdata01/logs/cisco/ise/isesvr01/2019-10-21-cisco-ise.log", data_host="isesvr01", data_sourcetype="cisco:ise:syslog"

Also we tried to find the solution for above error with following link:
https://answers.splunk.com/answers/526680/splunk-ise-ta-fails-when-distributed-via-cluster-m.html

But it is yet to answer of this question on Splunk answer support.

Then I had a word with Splunk support team and when they looked at this app config. They could have fixed it but they were not sure after fixing this issue, it won't create more problems. Since it was production environment, we simply uninstalled this app.

 

Did anyone face this issue in your environment?

 

Thanks in advance.

 

Regards,

Tejas

1 Accepted Solution

Accepted Solutions

jeppich
Cisco Employee
Cisco Employee

Hey Tejas,

 

I haven't, please email me, I would like to setup a Webex to discuss your issues.

 

Thanks,

John

jeppich@cisco.com

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

I have not worked on this. However...

     Install an add-on in a distributed Splunk Enterprise deployment    shows to use $SPLUNK_HOME. If that does not work, then this seems some limitation in Splunk clustering environment and would need Splunk to enhance it.

jeppich
Cisco Employee
Cisco Employee

Hey Tejas,

 

I haven't, please email me, I would like to setup a Webex to discuss your issues.

 

Thanks,

John

jeppich@cisco.com