https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188650#M19136 <P>I've just installed the Cisco Networks Add-on and Cisco Networks App in my Splunk environment, and am quite pleased with the dashboards.</P> <P>I am running into a problem with how my Cisco devices/hostnames are getting reported. My "unique devices", as well as every report that uses this field, is showing my syslog hostname instead of my Cisco devices.</P> <P>The dashboard is using <STRONG>dvc</STRONG> to render reports, but my actual device IP addresses (I wish I could have them resolve to IP addresses) are getting stuffed into <STRONG>reported_hostname</STRONG>. Incidentally, my syslog server is receiving syslog traffic, and sending all into one folder for all IOS devices. </P> <P><STRONG>My UF's inputs.conf:</STRONG></P> <PRE><CODE>[monitor:///my-syslog-data/ios.log] source=syslog sourcetype=cisco:ios host = </CODE></PRE> <P>In addition to the universal forwarder, which is my syslog server, I've installed the add-on on my Indexers and search heads as well, no changes made on them.</P> <P>I've tried making changes to my indexers' props.conf and transforms.conf, however, I seem to be missing the right changes needed to make my dashboards report each device uniquely versus all of them as my syslog host.</P> <P>Thanks in advance,</P> <P>-mi</P> Fri, 28 Aug 2015 13:18:40 GMT nychawk 2015-08-28T13:18:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188650#M19136 <P>I've just installed the Cisco Networks Add-on and Cisco Networks App in my Splunk environment, and am quite pleased with the dashboards.</P> <P>I am running into a problem with how my Cisco devices/hostnames are getting reported. My "unique devices", as well as every report that uses this field, is showing my syslog hostname instead of my Cisco devices.</P> <P>The dashboard is using <STRONG>dvc</STRONG> to render reports, but my actual device IP addresses (I wish I could have them resolve to IP addresses) are getting stuffed into <STRONG>reported_hostname</STRONG>. Incidentally, my syslog server is receiving syslog traffic, and sending all into one folder for all IOS devices. </P> <P><STRONG>My UF's inputs.conf:</STRONG></P> <PRE><CODE>[monitor:///my-syslog-data/ios.log] source=syslog sourcetype=cisco:ios host = </CODE></PRE> <P>In addition to the universal forwarder, which is my syslog server, I've installed the add-on on my Indexers and search heads as well, no changes made on them.</P> <P>I've tried making changes to my indexers' props.conf and transforms.conf, however, I seem to be missing the right changes needed to make my dashboards report each device uniquely versus all of them as my syslog host.</P> <P>Thanks in advance,</P> <P>-mi</P> Fri, 28 Aug 2015 13:18:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188650#M19136 nychawk 2015-08-28T13:18:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188651#M19137 <P>how look the entries in the ios.log file, do they contain the correct hostname?</P> Fri, 28 Aug 2015 13:50:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188651#M19137 FritzWittwer_ol 2015-08-28T13:50:51Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188652#M19138 <P>Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza</P> <P><A href="http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#answer-277693">http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#answer-277693</A></P> <P>Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.</P> <P>If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.</P> <P>Please accept or upvote helpful answers.</P> <P>Mikael<BR /> Author of the Cisco Networks App</P> Fri, 28 Aug 2015 14:00:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188652#M19138 mikaelbje 2015-08-28T14:00:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188653#M19139 <P>As your forwarder is running on the syslog server, you could use the forwarder as your syslog server by defining an udp input as</P> <PRE><CODE>[udp://514] source=syslog sourcetype=cisco:ios connection_host = dns </CODE></PRE> <P>Saves you some iops on the server and gives you the host in the event. In this case you have to logs of course only in splunk, and I can not say if the app will be able to deal with the events.</P> Fri, 28 Aug 2015 14:23:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188653#M19139 FritzWittwer_ol 2015-08-28T14:23:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188654#M19140 <P>They contain IP address, patterns match those provided in the sample.log. </P> Fri, 28 Aug 2015 14:45:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188654#M19140 nychawk 2015-08-28T14:45:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188655#M19141 <P>props.conf</P> <PRE><CODE>[your_sourcetype] TRANSFORMS-hosts = real_host </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[real_host] DEST_KEY = MetaData:Host REGEX = FORMAT = host::$1 </CODE></PRE> <P>fill the regex with the expression needed to retrieve the host from your logs. should be the same used to retrieve reported_hostname.</P> <P>More info from docs:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Overridedefaulthostassignments">http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Overridedefaulthostassignments</A></P> Fri, 28 Aug 2015 14:57:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188655#M19141 diogofgm 2015-08-28T14:57:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188656#M19142 <P>My syslog server parses logs for other than Cisco devices, which is feeding various sourcetypes.</P> <P>I like this idea though, thank you.</P> Fri, 28 Aug 2015 19:06:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188656#M19142 nychawk 2015-08-28T19:06:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188657#M19143 <P>I changed sourcetype on my UF's inputs.conf from cisco:ios to syslog and now all my devices are showing up with their IP addresses; thank you.</P> Fri, 28 Aug 2015 20:38:33 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Networks-Add-on-for-Splunk-Enterprise-How-to-get-reports/m-p/188657#M19143 nychawk 2015-08-28T20:38:33Z