I recently changed some things around our Splunk instance at the request of my customer. On our production system, there were no issues. But when I went back to clean up the lab side, I noticed that the Cisco App stopped working.
On the main page, it only displays port flapping, but nothing else. When I go manually search for sourcetype="cisco:ios", I get thousands of results.
The only thing that I changed was splitting up which port our switches and routers send syslogs to. Again, they appear to be indexing properly and are getting tagged as 'cisco:ios'.
Any suggestions? Thanks!
Edit: One year later (almost to the day), I encountered the same issue but had a different cause/solution. I have the TA-Cisco-ios and Splunk_TA_nix running on my searchhead. The incoming Cisco events were being tagged with the eventtype 'nix-all-logs' due to a configuration in Splunk_TA_nix. To fix this issue, I had to create a local copy of 'eventtypes.conf' for Splunk_TA_nix and specify that several of the *nix eventtypes should only be drawn from the linux index. It fixed my issues, my Cisco events were tagged properly, and the app worked again.
Hi @DBattisto ,
it should be der,
please see the image for the reference,
Upgraded to 7.2.4 and saw it. Now it works again. Thank you!!
Glad it worked for you 🙂
have you tried rebuilding data model?
Thanks for the suggestion! I'm afraid I'm not familiar with that process. Do you have a good link to follow? This is what I've found on data models, and am not sure if this is what you're referring to:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Managedatamodels
Hi mate,
You can go to settings>under Knowledge - Data models . Search for Cisco_ios_event. Expand (>
)and you will see an update and rebuild option.
If it still doesn't work, you can try this - try mentioning the index name(your index) if its not present in the eventtypes and macros.
Late reply: I did not see the 'update and rebuild' option. The problem is still occurring, but I have not had time to troubleshoot much.