Troubleshoot the Splunk Add-on for Cisco ISE¶
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons. You can also access these support and resource links.
“Invalid key in stanza” message in the console output¶
This issue occurs in version 4.0.0 because pxgrid and EPS workflow actions have been removed. If the user has configured the workflow actions in an earlier version after upgrade below messages can be seen in the console.
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 10: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 11: ise.version (value: 1.2).
Invalid key in stanza [EPS_QuarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 22: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_QuarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 23: ise.version (value: 1.2).
Invalid key in stanza [EPS_QuarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 34: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_QuarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 35: ise.version (value: 1.2).
Invalid key in stanza [EPS_UnquarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 46: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_UnquarantineByIPAddress] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 47: ise.version (value: 1.2).
Invalid key in stanza [EPS_UnquarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 58: ise.host (value: Please update ISE host information before enabling).
Invalid key in stanza [EPS_UnquarantineByMAC] in /opt/splunk/etc/apps/Splunk_TA_cisco-ise/local/workflow_actions.conf, line 59: ise.version (value: 1.2).
To eliminate these messages from the console, remove the
workflow_actions.conf
file from
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ise/local/
location.
“AggregatorMiningProcessor Error” message in the splunkd
log file¶
These messages occur because the hard-coded path of datetime_config
has been removed. If you have set the custom path fordatetime_config
in $SPLUNK_HOME/etc/master-apps/Splunk_TA_cisco-ise/local/props.conf
file, then the below error displays in splunkd.log
file and events are
not ingested in the Splunk.
07-03-2020 05:28:39.830 +0000 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Can't open DateParser XML configuration file "/opt/splunk/etc/apps/Splunk_TA_cisco-ise/default/datetime_udp.xml": No such file or directory - data_source="test", data_host="idx3", data_sourcetype="cisco:ise:syslog"
To mitigate this issue, see the Upgrade an indexer cluster from Splunk Add-on for Cisco ISE version 3.0.0.
Troubleshoot upgrading¶
If you are having issues upgrading to version 2.2.2, see the following sections:
Upgrade from 2.2.0 or 2.1.1 to 2.2.2¶
There are no known issues when upgrading from versions 2.2.0 or 2.1.1 to 2.2.2.
Upgrade from 2.1.0 to 2.2.2¶
Version 2.1.1 of this add-on changed the timestamp extraction behavior. That release corrected the way that the Splunk platform selects the timestamp from the three timestamps available in Cisco ISE data. This change may cause a time jump in your data at the upgrade point.
Upgrade from versions older than 2.1.0 to 2.2.2¶
If you have any version of the Splunk Add-on for Cisco ISE currently installed that is older than version 2.1.0, version 2.2.2 will not update or replace your current installation. Because the pre-2.1.0 community-supported versions of this add-on had a different folder structure, this add-on behaves as a new installation, not as an upgrade.
To upgrade from any version prior to 2.1.0 to version 2.2.2, complete these steps:
- Download and install version 2.2.2 of the add-on from Splunkbase.
- Disable your previous version in the Splunk platform.
- Enable version 2.2.2 of the add-on.
- Create and adjust your local .conf files as needed to match your old configurations.
- Verify your configurations work as expected.
- Delete the older version of the add-on.