All Apps and Add-ons

Cisco App has stopped working after a recent "upgrade"

Path Finder

I recently changed some things around our Splunk instance at the request of my customer. On our production system, there were no issues. But when I went back to clean up the lab side, I noticed that the Cisco App stopped working.

On the main page, it only displays port flapping, but nothing else. When I go manually search for sourcetype="cisco:ios", I get thousands of results.

The only thing that I changed was splitting up which port our switches and routers send syslogs to. Again, they appear to be indexing properly and are getting tagged as 'cisco:ios'.

Any suggestions? Thanks!

Edit: One year later (almost to the day), I encountered the same issue but had a different cause/solution. I have the TA-Cisco-ios and Splunk_TA_nix running on my searchhead. The incoming Cisco events were being tagged with the eventtype 'nix-all-logs' due to a configuration in Splunk_TA_nix. To fix this issue, I had to create a local copy of 'eventtypes.conf' for Splunk_TA_nix and specify that several of the *nix eventtypes should only be drawn from the linux index. It fixed my issues, my Cisco events were tagged properly, and the app worked again.

0 Karma
1 Solution

Contributor

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

View solution in original post

Contributor

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

View solution in original post

Path Finder

Upgraded to 7.2.4 and saw it. Now it works again. Thank you!!

0 Karma

Contributor

Glad it worked for you 🙂

0 Karma

Contributor

have you tried rebuilding data model?

Path Finder

Thanks for the suggestion! I'm afraid I'm not familiar with that process. Do you have a good link to follow? This is what I've found on data models, and am not sure if this is what you're referring to:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Managedatamodels

0 Karma

Contributor

Hi mate,

You can go to settings>under Knowledge - Data models . Search for Cisco_ios_event. Expand (>)and you will see an update and rebuild option.

If it still doesn't work, you can try this - try mentioning the index name(your index) if its not present in the eventtypes and macros.

Path Finder

Late reply: I did not see the 'update and rebuild' option. The problem is still occurring, but I have not had time to troubleshoot much.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!