Hello,
Have a question. I had my cisco logs indexed as sourcetype=syslog, coming from a syslog and sent to Splunk with a forwarder. I then installed the Cisco Networks App and change the sourcetype of this logs to cisco:ios but I've noticed there are some events which are mixed in one same event (no event-breaking at timestamp as usual)
Are there some considerations I should take in regards of props.conf in the App, as I'm receiving logs from a forwarder and not the devices themselves?
Attached some images of what I'm seeing in Splunk. first image how the event looks like (9 cisco events in 1 splunk event) and the second image, where, after the first device hostname it tooks everything as the device_time
![Event][1]
![Logs being taken as device_time][2]
Any help is much appreciated.
[1]: /storage/temp/114208-evento.png
[2]: /storage/temp/114209-timestamp.png
↧