Release history for the Splunk Add-on for Cisco ISE¶
The latest version of the Splunk Add-on for Cisco ISE is version 5.0.0. Please see Release notes for the Splunk Add-on for Cisco ISE for the release notes of the latest version.
Version 5.0.0 of the Splunk Add-on for Cisco ISE was released on November 21, 2024.
Version 4.2.0¶
Version 4.2.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 8.1, 8.2, 9.0 |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 2.0, 2.4, 2.7, 3.0 and 3.1 |
New features¶
Version 4.2.0 of the Splunk Add-on for Cisco ISE has the following new features.
- Added support for Cisco ISE v3.1
- Added support for CIM v5.0.1
- Added support for new eventtypes and the datamodels, which are mentioned in the following table:
| eventtype | Data model mapped |
|---|---|
cisco-ise-inventory |
Inventory:Network |
cisco-ise-change-all |
Change:All_Changes |
cisco-ise-guest-authentication-failed-attempts |
Authentication |
- The following table describes the data model support added for respective MESSAGE_CODE
| MESSAGE_CODE | Data Model support added in this release |
|---|---|
| 11036, 25012, 25016, 25018, 25020, 25045, 25046, 35000, 35001, 35046, 35048, 35050, 35051, 35055, 5417, 60164, 60191, 61075, 61236, 91002, 91006, 91007 | Alerts |
| 11213, 11507, 11521, 11522, 11806, 11808, 12300, 12301, 12302, 12310, 12313, 12500, 12552, 12561, 12800, 12801, 12802, 12804, 12805, 12806, 12807, 12810, 12811, 12812, 12813, 12816, 51001, 51002, 51021, 5205, 5231, 5236, 5405, 5413, 5418, 5436, 5440, 5441, 60080, 60204 | Authentication |
| 51003, 51101, 52000 | Change.Account_Management |
| 52001, 58003, 58004, 58016, 60094, 60106, 60153, 60208, 60216, 60237, 90051, 90200, 91003 | Change.All_Changes |
| 88010 | Inventory.Network |
- Extractions for
signatureandsignature_idhave been fixed as previously signature was used in both fields.signaturewill be extracted fromMESSAGE_TEXTsignature_idwill be extracted fromMESSAGE_CODE - New CIM field extraction added for
user_name - Previously, a comma (,) occurred sometimes in the value of the field. Corrected the implementation such that the comma (,) is excluded from the value of the field
Fixed issues¶
Version 4.2.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues:
Known issues¶
Version 4.2.0 of the Splunk Add-on for Cisco ISE contains the following known issues:
Third-party software attributions¶
Version 4.2.0 of the Splunk Add-on for Cisco ISE does not incorporate any third-party software or libraries.
Version 4.1.0¶
Version 4.1.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 7.3, 8.0, 8.1 |
| CIM | 4.19.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 2.0, 2.4, 2.7 and 3.0 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 4.1.0 of the Splunk Add-on for Cisco ISE has the following new features.
- Added Support for new event types
cisco-ise-endpoint-service,cisco-ise-changeandcisco-ise-traffic - Added support for
Endpoint Services,ChangeandNetwork TrafficDataModels for the above mentioned eventtypes respectively. - For below mentioned
MESSAGE_CODE,eventtype=cisco-ise-changeis introduced 52002,60086,58022,58023,58024,60131,60132,60198,5232,5233,60085,60190,60197,60214,51100,60461- For below mentioned
MESSAGE_CODE,eventtype=cisco-ise-endpoint-serviceis introduced 11010,34127,34126,58001,58002,58005,11009,25004,34050,32000,60234,60235,87751,87604,13002,87608,87609,91004,91018- For below mentioned
MESSAGE_CODE,eventtype=cisco-ise-trafficis introduced 61025- Added support for CIM v4.19.0.
- Support for Cisco ISE product version 3.0
Fixed issues¶
Version 4.1.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues:
Known issues¶
Version 4.1.0 of the Splunk Add-on for Cisco ISE contains the following known issues:
Third-party software attributions¶
Version 4.1.0 of the Splunk Add-on for Cisco ISE does not incorporate any third-party software or libraries.
Version 4.0.0¶
Version 4.0.0 of the Splunk Add-on for Cisco ISE was released on July 10, 2020.
About this release¶
Version 4.0.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 7.2, 7.3, 8.0 |
| CIM | 4.15 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 2.0, 2.4, and 2.7 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 4.0.0 of the Splunk Add-on for Cisco ISE has the following new features.
- Added the new event type
cisco-ise-alert - Performance data model mapping has been removed for the
cisco-ise-system-statisticsevent type. - The authentication data model mapping has been removed for the following event types:
cisco-ise-passed-authenticationcisco-ise-failed-authenticationcisco-ise-guest-authenticationcisco-ise-guest-authentication-failed- An authentication data model has been added for the
cisco-ise-authenticationevent type. - Change data model mapping has been removed for
cisco-ise-provision-succeededevent type. - Alert data model has been added for the
cisco-ise-alertevent type. - Auto KV mode has been replaced with custom REGEX for field extractions in order to support different data formats and fix the broken extractions. As a result, search queries may take longer than before.
- Fixed broken field extractions.
- Removed the setup page, pxGrid Workflow actions, and EPS workflow actions.
- Index time of event has been changed to “Current”.
- Added support for Splunk Connect for Syslog.
- Added support for CIM v4.15.
- Update for support for Cisco ISE version 2.7.
- Data Collection supports Syslog and Splunk Connect for Syslog.
Fixed issues¶
Version 4.0.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues:
Known issues¶
Version 4.0.0 of the Splunk Add-on for Cisco ISE contains the following known issues:
Third-party software attributions¶
Version 4.0.0 of the Splunk Add-on for Cisco ISE does not incorporate any third-party software or libraries.
Version 3.0.0¶
Version 3.0.0 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.14 and later |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.x and 2.0 |
New features¶
Version 3.0.0 of the Splunk Add-on for Cisco ISE has the following new features.
- Support for Python3
Fixed issues¶
Version 3.0.0 of the Splunk Add-on for Cisco ISE contains the following fixed issues:
Known issues¶
Version 3.0.0 of the Splunk Add-on for Cisco ISE contains the following known issues:
Third-party software attributions¶
Version 3.0.0 of the Splunk Add-on for Cisco ISE incorporates the following third-party software attributions:
pxGrid_search.jarlibrary, provided by Cisco and used by their permission.- future
- configparser
Version 2.2.2¶
Version 2.2.2 of the Splunk Add-on for Cisco ISE was released on December 11, 2018.
About this release¶
Version 2.2.2 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x |
| CIM | 4.11 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.x and 2.0 |
Fixed issues¶
Version 2.2.2 of the Splunk Add-on for Cisco ISE contains the following fixed issues:
Known issues¶
Version 2.2.2 of the Splunk Add-on for Cisco ISE contains the following known issues:
Third-party software attributions¶
Version 2.2.2 of the Splunk Add-on for Cisco ISE incorporates the
pxGrid_search.jar library, provided by Cisco and used by their
permission.
Version 2.2.0¶
Version 2.2.0 of the Splunk Add-on for Cisco ISE was released on June 8, 2016. This release is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.3 and later |
| CIM | 4.3 and later |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.x and 2.0 |
Migration from 2.1.1 to 2.2.0¶
There are no upgrade issues when upgrading from version 2.1.1 to 2.2.0.
Migration from 2.1.0 to 2.2.0¶
Version 2.1.1 of this add-on changed the timestamp extraction behavior. That release corrected the way that the Splunk platform selects the timestamp from among the three timestamps available in Cisco ISE data. This change may cause a time jump in your data at the upgrade point.
Migration from versions older than 2.1.0 to 2.2.0¶
If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.2.0 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not as an upgrade.
To migrate from any version prior to 2.1.0 to version 2.2.0:
- Download and install version 2.2.0 of the add-on from Splunkbase.
- Disable your previous version in the Splunk platform.
- Enable version 2.2.0 of the add-on.
- Create and adjust your local .conf files as needed to match your old configurations.
- Verify your configurations work as expected.
- Delete the older version of the add-on.
New features¶
Version 2.2.0 of the Splunk Add-on for Cisco ISE has the following new features.
| Date | Issue number | Description |
|---|---|---|
| 2016-02-18 | ADDON-7816 | This release of add-on now supports Cisco ISE version 1.x and 2.0. |
| 2015-04-03 | ADDON-3584 | You can now customize the log level through the new loglevel.conf configuration file. |
Fixed issues¶
Version 2.2.0 of the Splunk Add-on for Cisco ISE fixes the following issues:
Known issues¶
Version 2.2.0 of the Splunk Add-on for Cisco ISE contains the following known issues:
Date |
Issue number |
Description |
2014-11-24 |
ADDON-2380 |
Workflow actions configuration
limitations. pxGrid workflow action configuration not supported in
|
2015-07-10 |
ADDON-2610/ |
Setup fails on Windows in Splunk Web
when using Splunk platform 6.3 or earlier. Workaround: Upgrade to Splunk
platform version 6.4 or set up |
2017-11-10 |
ADDON-15925 |
Winsock error 10053 when trying to load the setup page of Cisco Identity Services. Workaround: Install the addon on Linux. |
Third-party software attributions¶
Version 2.2.0 of the Splunk Add-on for Cisco ISE incorporates the
pxGrid_search.jar library, provided by Cisco and used by their
permission.
Version 2.1.2¶
Version 2.1.2 of the Splunk Add-on for Cisco ISE is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.0 and above |
| CIM | 3.0 and above |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE version 1.2 & 1.3 |
Migration from 2.1.1 to 2.1.2¶
There are no upgrade issues when upgrading from version 2.1.1 to 2.1.2.
Migration from 2.1.0 to 2.1.2¶
Version 2.1.1 of this add-on changed the timestamp extraction behavior. In that release, the way that the Splunk platform selects the timestamp from among the three timestamps available in Cisco ISE data was corrected. This may cause a time jump in your data at the upgrade point.
Migration from versions older than 2.1.0 to 2.1.2¶
If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.1.2 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.
To migrate from any version prior to 2.1.0 to version 2.1.2:
- Download and install version 2.1.2 of the add-on from Splunkbase
- Disable your previous version in the Splunk platform
- Enable version 2.1.2 of the add-on
- Create and adjust your local .conf files as needed to match your old configurations
- Verify your configurations work as expected
- Delete the older version of the add-on
Fixed issues¶
Version 2.1.2 of the Splunk Add-on for Cisco ISE fixes the following issues:
Known issues¶
Version 2.1.2 of the Splunk Add-on for Cisco ISE has the following known issues:
Date |
Defect number |
Description |
2015-05-05 |
ADDON-3929 |
Action values are not CIM-compliant with Authentication data model. |
2014-11-24 |
ADDON-2380 |
Workflow actions configuration
limitations. pxGrid workflow action configuration not supported in
|
2015-07-10 |
ADDON-2610/ |
Setup fails on Windows in Splunk Web
when using Splunk platform 6.3 or earlier. Workaround: Upgrade to Splunk
platform version 6.4 or set up |
Third-party software attributions¶
Version 2.1.2 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.
Version 2.1.1¶
Version 2.1.1 of the Splunk Add-on for Cisco ISE was compatible with the following software, CIM versions, and platforms.
| Splunk Enterprise versions | 6.2, 6.1, 6.0 |
| CIM | 4.2, 4.1, 4.0, 3.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco ISE 1.2 |
Migration from 2.1.0 to 2.1.1¶
Version 2.1.1 of this add-on changes the timestamp extraction behavior. In this release, we are correcting the way that Splunk Enterprise selects the timestamp from among the three timestamps available in Cisco ISE data, which may cause a time jump in your data at the upgrade point.
Migration from versions older than 2.1.0 to 2.1.1¶
If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, note that version 2.1.1 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.
To migrate from any version prior to 2.1.0 to version 2.1.1:
- Download and install version 2.1.1 of the add-on
- Disable your previous version in Splunk Enterprise
- Enable version 2.1.1 of the add-on
- Create and adjust your local conf files as needed to match your old configurations
- Verify your configurations work as expected
- Delete the older version of the add-on
Fixed issues¶
Version 2.1.1 of the Splunk Add-on for Cisco ISE fixed the following issues:
Known issues¶
Version 2.1.1 of the Splunk Add-on for Cisco ISE had the following known issues:
| Date | Defect number | Description |
|---|---|---|
| 04/15/15 | ADDON-5004 | pxGrid_Search.jar file is corrupt. |
| 04/07/15 | ADDON-3929 | Action values are not CIM-compliant with Authentication data model. |
| 04/02/15 | ADDON-3560 | Timestamp extraction behavior changes in this release, which impacts upgrades. In this release, we are correcting the way that Splunk Enterprise selects the timestamp from among the three timestamps available in Cisco ISE data, which may cause a time jump in your data at the upgrade point. |
| 03/31/15 | ADDON-2380 | Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf. |
| 03/31/15 | ADDON-2610/SPL-86716 | Sourcetypes renamed in a way that broke backwards compatibility. |
Third-party software attributions¶
Version 2.1.1 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.
Version 2.1.0¶
Migration¶
If you have any previous version of the Splunk Add-on for Cisco ISE currently installed, note that version 2.1.0 will not update or replace your current installation. Because the previous community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not an upgrade.
To migrate from any previous version to version 2.1.0:
- Download and install version 2.1.0 of the add-on
- Disable your previous version in Splunk Enterprise
- Enable version 2.1.0 of the add-on
- Create and adjust your local conf files as needed to match your old configurations
- Verify your configurations work as expected
- Delete the older version of the add-on
New features¶
Version 2.1.0 of the Splunk Add-on for Cisco ISE included the following new features:
| Resolved date | Issue number | Description |
|---|---|---|
| 11/24/14 | ADDON-1181 | Normalize data to CIM Authentication and Change Analysis data models. |
| 11/24/14 | ADDON-2186 | pxGrid remediation support with custom command. |
| 10/27/14 | ADDON-2035 | Workflow actions to support ISE remediation |
| 10/03/14 | ADDON-1819 | Pre-built panels for Cisco ISE |
Known issues¶
Version 2.1.0 of the Splunk Add-on for Cisco ISE had the following known issues:
| Date | Defect number | Description |
|---|---|---|
| 02/02/15 | ADDON-2610 | Setup fails on Windows in Splunk Web. Workaround: Set up workflow_actions.conf manually on Windows machines. |
| 01/23/15 | ADDON-3063 | Authentication error received when invoking pxgremediate workflow (custom command). Workaround available from support. |
| 12/09/14 | ADDON-2610 | Setup fails on Windows machines. Workaround: set up workflow_actions.conf manually. |
| 11/24/14 | ADDON-2380 | Workflow actions configuration limitations. pxGrid workflow action configuration not supported in workflow_actions.conf. |
| 09/08/14 | ADDON-1543 | In multi-router installations, two different timestamps appear in Cisco ISE data, and the second one (after the IP address) is the correct one. |
Third-party software attributions¶
Version 2.1.0 of the Splunk Add-on for Cisco ISE incorporates the pxGrid_search.jar library, provided by Cisco and used by their permission.