I've recently upgraded Cisco Networks App for Splunk Enterprise to ciscoios 2.3.0, shortly followed by an upgrade to the TA on my Universal Forwarder and Indexers to TA-ciscoios 2.3.0.
My UF has its inputs.conf configured as:
BTW, I've also tried setting this to "sourcetype=cisco:ios".
Where before I was receiving data inside of the app, now I am seeing "No results found." for each panel, except for "Diagnostic messages", where I am now seeing 'Error in '*lookup' command: The lookup table 'ciscoiosseverity' does not exist.*'.
I've gone through the install setup for the add-on again, and am not able to determine why I am not seeing data.
I've confirmed that my syslog file is from valid IOS devices. By the way, all of my devices are currently writing to the same file, and have always done so.
Thank you for your response, I don't recall adding the TA to my search head, but I just installed it; my results are much better, thank you!
On another topic, how do I populate information like site, software versions, model, etc?
By the way, awesome app, thank you!
Glad you sorted it out.
The Inventory stuff is populated by Smart Call Home. See the Help page 🙂 It only works for 3000 series and up, not 2960s.
Is extracting this information via SNMP on your roadmap?
No, not currently. My best suggestion is to get this data from a third party solution such as a CMDB. That way you're able to get inventory details for other assets in your organization too.
I will try to populate it using Qualys...