All Apps and Add-ons
Highlighted

After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

Communicator

Hello;

I've recently upgraded Cisco Networks App for Splunk Enterprise to ciscoios 2.3.0, shortly followed by an upgrade to the TA on my Universal Forwarder and Indexers to TA-ciscoios 2.3.0.

My UF has its inputs.conf configured as:

[monitor:///syslog-data/ios.log]
sourcetype=syslog

BTW, I've also tried setting this to "sourcetype=cisco:ios".

Where before I was receiving data inside of the app, now I am seeing "No results found." for each panel, except for "Diagnostic messages", where I am now seeing 'Error in '*lookup' command: The lookup table 'ciscoiosseverity' does not exist.*'.

I've gone through the install setup for the add-on again, and am not able to determine why I am not seeing data.

I've confirmed that my syslog file is from valid IOS devices. By the way, all of my devices are currently writing to the same file, and have always done so.

Any suggestions?

-mi

0 Karma
Highlighted

Re: After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

Motivator

Hi!

  1. What Splunk version are you running?
  2. You did not specify that you upgraded TA-cisco_ios to 2.3.0 on your SEARCH HEAD. Did you do this?
  3. Could you post some samples from your ios.log?
  4. Could you try deleting the app and add-on from your servers and then reinstalling them?

Regards,
Mikael

View solution in original post

Highlighted

Re: After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

Communicator

Hi Mikael;

Thank you for your response, I don't recall adding the TA to my search head, but I just installed it; my results are much better, thank you!

On another topic, how do I populate information like site, software versions, model, etc?

By the way, awesome app, thank you!

-mi

0 Karma
Highlighted

Re: After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

Motivator

Glad you sorted it out.

The Inventory stuff is populated by Smart Call Home. See the Help page 🙂 It only works for 3000 series and up, not 2960s.

0 Karma
Highlighted

Re: After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

Communicator

Is extracting this information via SNMP on your roadmap?

Kind regards,

-mi

0 Karma
Highlighted

Re: After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

Motivator

No, not currently. My best suggestion is to get this data from a third party solution such as a CMDB. That way you're able to get inventory details for other assets in your organization too.

0 Karma
Highlighted

Re: After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

Communicator

I will try to populate it using Qualys...

0 Karma