Splunk® Supported Add-ons

Splunk Add-on for Cisco ISE

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Cisco ISE

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons. You can also access these support and resource links.

"Invalid key in stanza" message in the console output

This issue occurs in version 4.0.0 because pxgrid and EPS workflow actions have been removed. If the user has configured the workflow actions in an earlier version after upgrade below messages can be seen in the console.

Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 10: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 11: ise.version (value: 1.2).
Invalid key in stanza [EPS_QuarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 22: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_QuarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 23: ise.version (value: 1.2).
Invalid key in stanza [EPS_QuarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 34: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_QuarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 35: ise.version (value: 1.2).
Invalid key in stanza [EPS_UnquarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 46: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_UnquarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 47: ise.version (value: 1.2).
Invalid key in stanza [EPS_UnquarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 58: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_UnquarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 59: ise.version (value: 1.2).

To eliminate these messages from the console, remove the workflow_actions.conf file from $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ise/local/ location.

"AggregatorMiningProcessor Error" message in the splunkd log file

These messages occur becuase the hard-coded path of datetime_config has been removed. If you have set the custom path fordatetime_config in $SPLUNK_HOME/etc/master-apps/Splunk_TA_cisco-ise/local/props.conf file, then the below error displays in splunkd.log file and events are not ingested in the Splunk.

07-03-2020 05:28:39.830 +0000 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="test", data_host="idx3", data_sourcetype="cisco:ise:syslog"

To mitigate this issue, see the Upgrade an indexer cluster from Splunk Add-on for Cisco ISE version 3.0.0.

Troubleshoot upgrading

If you are having issues upgrading to version 2.2.2, see the following sections:

Upgrade from 2.2.0 or 2.1.1 to 2.2.2

There are no known issues when upgrading from versions 2.2.0 or 2.1.1 to 2.2.2.

Upgrade from 2.1.0 to 2.2.2

Version 2.1.1 of this add-on changed the timestamp extraction behavior. That release corrected the way that the Splunk platform selects the timestamp from the three timestamps available in Cisco ISE data. This change may cause a time jump in your data at the upgrade point.

Upgrade from versions older than 2.1.0 to 2.2.2

If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, version 2.2.2 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not as an upgrade.

To upgrade from any version prior to 2.1.0 to version 2.2.2, complete these steps:

  1. Download and install version 2.2.2 of the add-on from Splunkbase.
  2. Disable your previous version in the Splunk platform.
  3. Enable version 2.2.2 of the add-on.
  4. Create and adjust your local .conf files as needed to match your old configurations.
  5. Verify your configurations work as expected.
  6. Delete the older version of the add-on.
Last modified on 20 July, 2020
PREVIOUS
Sourcetypes for the Splunk Add-on for Cisco ISE
  NEXT
Release notes for the Splunk Add-on for Cisco ISE

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters