All Apps and Add-ons

Cisco App has stopped working after a recent "upgrade"

DBattisto
Communicator

I recently changed some things around our Splunk instance at the request of my customer. On our production system, there were no issues. But when I went back to clean up the lab side, I noticed that the Cisco App stopped working.

On the main page, it only displays port flapping, but nothing else. When I go manually search for sourcetype="cisco:ios", I get thousands of results.

The only thing that I changed was splitting up which port our switches and routers send syslogs to. Again, they appear to be indexing properly and are getting tagged as 'cisco:ios'.

Any suggestions? Thanks!

Edit: One year later (almost to the day), I encountered the same issue but had a different cause/solution. I have the TA-Cisco-ios and Splunk_TA_nix running on my searchhead. The incoming Cisco events were being tagged with the eventtype 'nix-all-logs' due to a configuration in Splunk_TA_nix. To fix this issue, I had to create a local copy of 'eventtypes.conf' for Splunk_TA_nix and specify that several of the *nix eventtypes should only be drawn from the linux index. It fixed my issues, my Cisco events were tagged properly, and the app worked again.

0 Karma
1 Solution

vinod94
Contributor

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

View solution in original post

vinod94
Contributor

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

DBattisto
Communicator

Upgraded to 7.2.4 and saw it. Now it works again. Thank you!!

0 Karma

vinod94
Contributor

Glad it worked for you 🙂

0 Karma

vinod94
Contributor

have you tried rebuilding data model?

DBattisto
Communicator

Thanks for the suggestion! I'm afraid I'm not familiar with that process. Do you have a good link to follow? This is what I've found on data models, and am not sure if this is what you're referring to:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Managedatamodels

0 Karma

vinod94
Contributor

Hi mate,

You can go to settings>under Knowledge - Data models . Search for Cisco_ios_event. Expand (>)and you will see an update and rebuild option.

If it still doesn't work, you can try this - try mentioning the index name(your index) if its not present in the eventtypes and macros.

DBattisto
Communicator

Late reply: I did not see the 'update and rebuild' option. The problem is still occurring, but I have not had time to troubleshoot much.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...