Download topic as PDF
Release history for the Splunk Add-on for Cisco ISE
The latest version of the Splunk Add-on for Cisco ISE is version 4.2.0. Please see Release notes for the Splunk Add-on for Cisco ISE for the release notes of the latest version.
Version 4.2.0 of the Splunk Add-on for Cisco ISE was released on April 13, 2021.
Version 4.1.0
Version 4.1.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 7.3, 8.0, 8.1 |
| CIM | 4.19.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 2.0, 2.4, 2.7 and 3.0 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 4.1.0 of the Splunk Add-on for Cisco ISE has the following new features.
- Added Support for new event types
cisco-ise-endpoint-service,cisco-ise-changeandcisco-ise-traffic - Added support for
Endpoint Services,ChangeandNetwork TrafficDataModels for the above mentioned eventtypes respectively. - For below mentioned
MESSAGE_CODE,eventtype=cisco-ise-changeis introduced52002,60086,58022,58023,58024,60131,60132,60198,5232,5233,60085,60190,60197,60214,51100,60461
- For below mentioned
MESSAGE_CODE,eventtype=cisco-ise-endpoint-serviceis introduced11010,34127,34126,58001,58002,58005,11009,25004,34050,32000,60234,60235,87751,87604,13002,87608,87609,91004,91018
- For below mentioned
MESSAGE_CODE,eventtype=cisco-ise-trafficis introduced61025
- Added support for CIM v4.19.0.
- Support for Cisco ISE product version 3.0
Fixed issues
Version 4.1.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues.
If no issues appear below, no issues have yet been reported:
Known issues
Version 4.1.0 of the Splunk Add-on for Cisco ISE contains the following known issues.
If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 4.1.0 of the Splunk Add-on for Cisco ISE does not incorporate any third-party software or libraries.
Version 4.0.0
Version 4.0.0 of the Splunk Add-on for Cisco ISE was released on July 10, 2020.
About this release
Version 4.0.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 7.2, 7.3, 8.0 |
| CIM | 4.15 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 2.0, 2.4, and 2.7 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 4.0.0 of the Splunk Add-on for Cisco ISE has the following new features.
- Added the new event type
cisco-ise-alert - Performance data model mapping has been removed for the
cisco-ise-system-statisticsevent type. - The authentication data model mapping has been removed for the following event types:
cisco-ise-passed-authenticationcisco-ise-failed-authenticationcisco-ise-guest-authenticationcisco-ise-guest-authentication-failed
- An authentication data model has been added for the
cisco-ise-authenticationevent type. - Change data model mapping has been removed for
cisco-ise-provision-succeededevent type. - Alert data model has been added for the
cisco-ise-alertevent type. - Auto KV mode has been replaced with custom REGEX for field extractions in order to support different data formats and fix the broken extractions. As a result, search queries may take longer than before.
- Fixed broken field extractions.
- Removed the setup page, pxGrid Workflow actions, and EPS workflow actions.
- Index time of event has been changed to "Current".
- Added support for Splunk Connect for Syslog.
- Added support for CIM v4.15.
- Update for support for Cisco ISE version 2.7.
- Data Collection supports Syslog and Splunk Connect for Syslog.
Fixed issues
Version 4.0.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues.
If no issues appear below, no issues have yet been reported:
| Date resolved | Issue number | Description |
|---|---|---|
| 2020-05-19 | ADDON-25848 | Cisco ISE: Splunk Cloud DATETIME_CONFIG problem |
Known issues
Version 4.0.0 of the Splunk Add-on for Cisco ISE contains the following known issues.
If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 4.0.0 of the Splunk Add-on for Cisco ISE does not incorporate any third-party software or libraries.
Version 3.0.0
Version 3.0.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.14 and later |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.x and 2.0 |
New features
Version 3.0.0 of the Splunk Add-on for Cisco ISE has the following new features.
- Support for Python3
Fixed issues
Version 3.0.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues.
If no issues appear below, no issues have yet been reported:
Known issues
Version 3.0.0 of the Splunk Add-on for Cisco ISE contains the following known issues.
If no issues appear below, no issues have yet been reported:
| Date filed | Issue number | Description |
|---|---|---|
| 2020-03-26 | ADDON-25848 | Cisco ISE: Splunk Cloud DATETIME_CONFIG problem |
| 2018-10-19 | ADDON-19966 | Issues with setup page on Splunk v7.2.0 Workaround: web.conf splunkdConnectionTimeout = 120 |
Third-party software attributions
Version 3.0.0 of the Splunk Add-on for Cisco ISE incorporates the following third-party software attributions:
pxGrid_search.jarlibrary, provided by Cisco and used by their permission.- future
- configparser
Version 2.2.2
Version 2.2.2 of the Splunk Add-on for Cisco ISE was released on December 11, 2018.
About this release
Version 2.2.2 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x |
| CIM | 4.11 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.x and 2.0 |
Known issues
Version 2.2.2 of the Splunk Add-on for Cisco ISE contains the following known issues.
If no issues appear below, no issues have yet been reported:
| Date filed | Issue number | Description |
|---|---|---|
| 2018-10-19 | ADDON-19966 | Issues with setup page on Splunk v7.2.0 Workaround: web.conf splunkdConnectionTimeout = 120 |
Third-party software attributions
Version 2.2.2 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.
Version 2.2.0
Version 2.2.0 of the Splunk Add-on for Cisco ISE was released on June 8, 2016. This release is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.3 and later |
| CIM | 4.3 and later |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.x and 2.0 |
Migration from 2.1.1 to 2.2.0
There are no upgrade issues when upgrading from version 2.1.1 to 2.2.0.
Migration from 2.1.0 to 2.2.0
Version 2.1.1 of this add-on changed the timestamp extraction behavior. That release corrected the way that the Splunk platform selects the timestamp from among the three timestamps available in Cisco ISE data. This change may cause a time jump in your data at the upgrade point.
Migration from versions older than 2.1.0 to 2.2.0
If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.2.0 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not as an upgrade.
To migrate from any version prior to 2.1.0 to version 2.2.0:
- Download and install version 2.2.0 of the add-on from Splunkbase.
- Disable your previous version in the Splunk platform.
- Enable version 2.2.0 of the add-on.
- Create and adjust your local .conf files as needed to match your old configurations.
- Verify your configurations work as expected.
'#Delete the older version of the add-on.
New features
Version 2.2.0 of the Splunk Add-on for Cisco ISE has the following new features.
| Date | Issue number | Description |
| 2016-02-18 | ADDON-7816 | This release of add-on now supports Cisco ISE version 1.x and 2.0. |
| 2015-04-03 | ADDON-3584 | You can now customize the log level through the new loglevel.conf configuration file.
|
Fixed issues
Version 2.2.0 of the Splunk Add-on for Cisco ISE fixes the following issues.
| Date | Issue number | Description |
| 2015-05-05 | ADDON-3929 | Action values are not CIM-compliant with Authentication data model. |
| 2016-05-06 | ADDON-9326 | Incorrect regex expressions in the cisco-ise-action-failure-for-auth and cisco-ise-action-blocked event type definitions.
|
| 2016-02-25 | ADDON-7956 | Tag expansions pull in unintended fields and negatively impact search performance. |
Known issues
Version 2.2.0 of the Splunk Add-on for Cisco ISE contains the following known issues.
| Date | Issue number | Description |
| 2014-11-24 | ADDON-2380 | Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
|
| 2015-07-10 | ADDON-2610/ SPL-91709 |
Setup fails on Windows in Splunk Web when using Splunk platform 6.3 or earlier. Workaround: Upgrade to Splunk platform version 6.4 or set up workflow_actions.conf manually on Windows machines.
|
| 2017-11-10 | ADDON-15925 | Winsock error 10053 when trying to load the setup page of Cisco Identity Services. Workaround: Install the addon on Linux. |
Third-party software attributions
Version 2.2.0 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.
Version 2.1.2
Version 2.1.2 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.0 and above |
| CIM | 3.0 and above |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.2 & 1.3 |
Migration from 2.1.1 to 2.1.2
There are no upgrade issues when upgrading from version 2.1.1 to 2.1.2.
Migration from 2.1.0 to 2.1.2
Version 2.1.1 of this add-on changed the timestamp extraction behavior. In that release, the way that the Splunk platform selects the timestamp from among the three timestamps available in Cisco ISE data was corrected. This may cause a time jump in your data at the upgrade point.
Migration from versions older than 2.1.0 to 2.1.2
If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.1.2 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.
To migrate from any version prior to 2.1.0 to version 2.1.2:
- Download and install version 2.1.2 of the add-on from Splunkbase
- Disable your previous version in the Splunk platform
- Enable version 2.1.2 of the add-on
- Create and adjust your local .conf files as needed to match your old configurations
- Verify your configurations work as expected
- Delete the older version of the add-on
Fixed issues
Version 2.1.2 of the Splunk Add-on for Cisco ISE fixes the following issues.
| Date | Defect number | Description |
| 2015-08-25 | ADDON-5004 | pxGrid_Search.jar file is corrupt. |
Known issues
Version 2.1.2 of the Splunk Add-on for Cisco ISE has the following known issues.
| Date | Defect number | Description |
| 2015-05-05 | ADDON-3929 | Action values are not CIM-compliant with Authentication data model. |
| 2014-11-24 | ADDON-2380 | Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
|
| 2015-07-10 | ADDON-2610/ SPL-91709 |
Setup fails on Windows in Splunk Web when using Splunk platform 6.3 or earlier. Workaround: Upgrade to Splunk platform version 6.4 or set up workflow_actions.conf manually on Windows machines.
|
Third-party software attributions
Version 2.1.2 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.
Version 2.1.1
Version 2.1.1 of the Splunk Add-on for Cisco ISE was compatible with the following software, CIM versions, and platforms.
| Splunk Enterprise versions | 6.2, 6.1, 6.0 |
| CIM | 4.2, 4.1, 4.0, 3.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE 1.2 |
Migration from 2.1.0 to 2.1.1
Version 2.1.1 of this add-on changes the timestamp extraction behavior. In this release, we are correcting the way that Splunk Enterprise selects the timestamp from among the three timestamps available in Cisco ISE data, which may cause a time jump in your data at the upgrade point.
Migration from versions older than 2.1.0 to 2.1.1
If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.1.1 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.
To migrate from any version prior to 2.1.0 to version 2.1.1:
- Download and install version 2.1.1 of the add-on
- Disable your previous version in Splunk Enterprise
- Enable version 2.1.1 of the add-on
- Create and adjust your local conf files as needed to match your old configurations
- Verify your configurations work as expected
- Delete the older version of the add-on
Fixed issues
Version 2.1.1 of the Splunk Add-on for Cisco ISE fixed the following issues.
| Date | Defect number | Description |
| 04/15/15 | ADDON-3660 | Stanza extract_vendor_action_ise in transforms.conf is not used in props.conf. |
| 04/07/15 | ADDON-3479 | Add-on overrides Splunk Enterprise's default syslog timestamp configurations. |
| 04/02/15 | ADDON-3329 | pxgremediate.py command does not return useful information. |
| 03/31/15 | ADDON-3423 | Problems with authentication & dispatch of custom command, and improve logging. |
| 03/31/15 | ADDON-2512 | Sourcetypes renamed in a way that broke backwards compatibility. |
| 03/26/15 | ADDON-3063 | Authentication error received when invoking pxgremediate workflow (custom command). Workaround available from support. |
| 03/26/15 | ADDON-3079 | Add-on contains *nix specific paths. |
| 03/26/15 | ADDON-3077 | Potential command execution via malicious configuration file. |
Known issues
Version 2.1.1 of the Splunk Add-on for Cisco ISE had the following known issues.
| Date | Defect number | Description |
| 08/19/15 | ADDON-5004 | pxGrid_Search.jar file is corrupt. |
| 05/05/15 | ADDON-3929 | Action values are not CIM-compliant with Authentication data model. |
| 04/01/15 | ADDON-3560 | Timestamp extraction behavior changes in this release, which impacts upgrades. In this release, we are correcting the way that Splunk Enterprise selects the timestamp from among the three timestamps available in Cisco ISE data, which may cause a time jump in your data at the upgrade point. |
| 11/24/14 | ADDON-2380 | Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
|
| 07/10/15 | ADDON-2610/ SPL-86716 |
Setup fails on Windows in Splunk Web. Workaround: Set up workflow_actions.conf manually on Windows machines.
|
Third-party software attributions
Version 2.1.1 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.
Version 2.1.0
Migration
If you have any previous version of the Splunk Add-on for Cisco ISE currently installed, note that version 2.1.0 will not update or replace your current installation. Because the previous community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.
To migrate from any previous version to version 2.1.0:
- Download and install version 2.1.0 of the add-on
- Disable your previous version in Splunk Enterprise
- Enable version 2.1.0 of the add-on
- Create and adjust your local conf files as needed to match your old configurations
- Verify your configurations work as expected
- Delete the older version of the add-on
New features
Version 2.1.0 of the Splunk Add-on for Cisco ISE included the following new features:
| Resolved date | Issue number | Description |
| 11/24/14 | ADDON-1181 | Normalize data to CIM Authentication and Change Analysis data models. |
| 11/24/14 | ADDON-2186 | pxGrid remediation support with custom command. |
| 10/27/14 | ADDON-2035 | Workflow actions to support ISE remediation |
| 10/03/14 | ADDON-1819 | Pre-built panels for Cisco ISE |
Known issues
Version 2.1.0 of the Splunk Add-on for Cisco ISE had the following known issues.
| Date | Defect number | Description |
| 02/02/15 | ADDON-2610 | Setup fails on Windows in Splunk Web. Workaround: Set up workflow_actions.conf manually on Windows machines.
|
| 01/23/15 | ADDON-3063 | Authentication error received when invoking pxgremediate workflow (custom command). Workaround available from support. |
| 12/09/14 | ADDON-2610 | Setup fails on Windows machines. Workaround: set up workflow_actions.conf manually.
|
| 11/24/14 | ADDON-2380 | Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf.
|
| 09/08/14 | ADDON-1543 | In multi-router installations, two different timestamps appear in Cisco ISE data, and the second one (after the IP address) is the correct one. |
Third-party software attributions
Version 2.1.0 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.
|
PREVIOUS Release notes for the Splunk Add-on for Cisco ISE |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!