Skip to content

[cisco_ise] fix data purge timezone detection #17005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ash-darin wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[cisco_ise] fix data purge timezone detection #17005

ash-darin wants to merge 4 commits into from
+8 −2

Conversation

@ash-darin
Copy link
Contributor

@ash-darin ash-darin commented Jan 20, 2026
edited
Loading

  • Bug

Proposed commit message

All pipelines except pipeline_monitoring_data_purge_audit subpipline extract the timezone of the event to event.timezone. (Compare:

integrations/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml

Line 12 in fa0203e

- "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details_raw},"
)

If this is not done, the timestamp will not be parsed correctly by the following logic. This PR brings the pipeline in line with all other pipelines.

Checklist

  • [y] I have reviewed tips for building integrations and this pull request is aligned with them.
  • [y] I have added an entry to my package's changelog.yml file.

Author's Checklist

  • Compare this to handling in all other subpipelines

How to test this PR locally

I added a testcase with a diverging timezone. Other than that you should check your installation for

cisco_ise.log.category.name: CISE_MONITORING_DATA_PURGE_AUDIT

ash-darin
ash-darin commented Jan 20, 2026
View reviewed changes
...o_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_monitoring_data_purge_audit.yml
field: message
patterns:
- '%{TIMEONLYSTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:_tmp.timezone} %{DATA:event.sequence:long} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details_raw},'
- '%{TIMEONLYSTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details_raw},'
Copy link
Contributor Author

@ash-darin ash-darin Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is event.timezone in all other pipelines.

@ash-darin ash-darin marked this pull request as ready for review January 20, 2026 13:30
@ash-darin ash-darin requested a review from a team as a code owner January 20, 2026 13:30
@andrewkroh andrewkroh added the Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] label Jan 20, 2026
@elasticmachine
Copy link

elasticmachine commented Jan 20, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Integration:cisco_ise Cisco ISE Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ash-darin @elasticmachine @andrewkroh