- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- After installing the Cisco Networks App and Add-on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After installing the Cisco Networks App and Add-on for Splunk Enterprise 2.3.0 on Splunk 6.2, why do dashboards now show "No Search Query Provided"?
I have installed the latest Add-on and Cisco Network App for Splunk Enterprise, but many of the dashboards don't work anymore and displays the following message "No Search Query Provided", when I check the dashboards, the search string is in fact empty.
Running Splunk 6.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damn, Cisco! They seem to keep changing the format of the IOS XR logs between software versions.
I just made an update to correct your case. Could you try to get the latest TA-cisco_ios from https://github.com/inspired/TA-cisco_ios
Remember to upgrade both search heads and indexers with the latest TA-cisco_ios.
You do not need to upgrade cisco_ios.
Let me know if this fixes your issue and please mark as Answered if it does 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mikael,
This did solve it partly, it seems the regex still does not catch all the cisco:ios messages from these XR routers... they are marked as syslog.
Maybe I can send you more examples of the syslog as it comes from the routers?
Regards,
Marius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, send more samples 🙂 In fact, try to use the Issues thing on github for TA-cisco_ios to submit the samples and a short description. Makes it easier for me to keep track
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
- Do you have any local changes in TA-cisco_ios/local and cisco_ios/local?
- Could you try deleting the apps and re-installing them? A complete deletion of the folders is what you need to do
- Do you run a distributed environment? Did you upgrade TA-cisco_ios on your indexers too?
- Exact Splunk version?
- Exact Cisco Networks app version?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sorry for the late reply
A complete delete and re-install was done initially. I was mistaken my Splunk version is 6.1.3. It is a distributed environment and the TA package was installed in the indexers as per instructions.
The reason for the upgrade is that our XR routers Syslog does not get marked as cisco:ios and I thought this would fix that. The syslog format looks like this.
Oct 9 09:59:46 10.117.0.147 85915: za-mid-mtb-msr01 RP/0/RSP0/CPU0:Oct 9 09:59:46.271 : exec[65908]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'argus' from '10.117.1.18' on 'vty3'
I will upgrade to 6.2 if required to get the XR syslog to work as certain dashboards we built depend on this.
Regards,
Marius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See my answer below 🙂
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
