- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running Splunk Cloud v 7.0.13.
Cisco ACI App installed on Splunk Cloud V 4.0.1
I installed the Cisco ACI Add on to an existing heavy fowarder (which is already forwarding data to our cloud instance) and , based on the splund.log, it looks like it is communicating with the ACI devices just fine.
I do not see any cisco data hitting our cloud instance. I've been looking through the Splunk FAQs for some tips on where to look to troubleshoot this.
I have verified the following:
1. Cisco ACI add on scripts are all enabled on the forwarder
2. splunkd. log (on the forwarder) indicates it is connecting and communicating with the Cisco device.
Looking for suggestions on how to troubleshoot this.
Thanks!
Jon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, final update.
The bottom line was the settings in the eventtypes.conf file needed to be manually added to our Splunk Cloud search head.
after that is done...it works fine.
So if you are running a distributed Splunk configuration...make sure you either copy over the eventtypes.conf from the add-ons ./default directory or manually add them (there were only 5 eventtypes ACI add-on)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, final update.
The bottom line was the settings in the eventtypes.conf file needed to be manually added to our Splunk Cloud search head.
after that is done...it works fine.
So if you are running a distributed Splunk configuration...make sure you either copy over the eventtypes.conf from the add-ons ./default directory or manually add them (there were only 5 eventtypes ACI add-on)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another update:
I think the data is all there, but the Cisco APP is checking the following in order to populate the dropdown list of APIC Hosts:
eventtype="cisco_apic_*" component=credentials | fields apic_host | dedup apic_host | SORT apic_host
However there is no eventtype with "cisco*".
There is a
sourcetype="cisco:apic:*"
In fact, if i change the search on the dropdown as follows
Change: eventtype="cisco_apic_"
To: sourcetype="cisco:apic:"
it works fine.
I wonder if there is a conflict with the version of the Cisco ACI APP running on our search head, and the Cisco ACI Add-on running on the forwarder?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, i do see data coming in from the forwarder. it is being added to the main index. I'm assuming that I also need to add the "apic" index on the forwarder as well ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added the index 'apic' to Splunk Cloud. I've been checking for data found in the 'apic' index but nothing so far. I verified the forwarder is up and running.
Is there anything I can check on the forwarder to see if it's even attempting to forward the ACI data to the Cloud? I know that it is forwarding other data to the cloud with no issues.
I'll keep digging...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you create the index(s) needed by the add-on?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats probably the issue. The app had been installed on Splunk cloud a while ago by someone else and I don't see an index named 'apic'.
I will add it and test.
I'll reply with the results.
Thanks!
Jon
