All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco App has stopped working after a recent "upgrade"

DBattisto
Communicator
‎02-05-2019 04:08 PM

I recently changed some things around our Splunk instance at the request of my customer. On our production system, there were no issues. But when I went back to clean up the lab side, I noticed that the Cisco App stopped working.

On the main page, it only displays port flapping, but nothing else. When I go manually search for sourcetype="cisco:ios", I get thousands of results.

The only thing that I changed was splitting up which port our switches and routers send syslogs to. Again, they appear to be indexing properly and are getting tagged as 'cisco:ios'.

Any suggestions? Thanks!

Edit: One year later (almost to the day), I encountered the same issue but had a different cause/solution. I have the TA-Cisco-ios and Splunk_TA_nix running on my searchhead. The incoming Cisco events were being tagged with the eventtype 'nix-all-logs' due to a configuration in Splunk_TA_nix. To fix this issue, I had to create a local copy of 'eventtypes.conf' for Splunk_TA_nix and specify that several of the *nix eventtypes should only be drawn from the linux index. It fixed my issues, my Cisco events were tagged properly, and the app worked again.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vinod94
Contributor
‎02-19-2019 10:12 PM

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

View solution in original post

Preview file
57 KB
Reply
Solved! Jump to solution
Solution

vinod94
Contributor
‎02-19-2019 10:12 PM

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

Preview file
57 KB
Reply
Solved! Jump to solution

DBattisto
Communicator
‎02-20-2019 05:12 AM

Upgraded to 7.2.4 and saw it. Now it works again. Thank you!!

0 Karma
Reply
Solved! Jump to solution

vinod94
Contributor
‎02-09-2020 10:37 AM

Glad it worked for you 🙂

0 Karma
Reply
Solved! Jump to solution

vinod94
Contributor
‎02-05-2019 10:58 PM

have you tried rebuilding data model?

Reply
Solved! Jump to solution

DBattisto
Communicator
‎02-06-2019 05:15 AM

Thanks for the suggestion! I'm afraid I'm not familiar with that process. Do you have a good link to follow? This is what I've found on data models, and am not sure if this is what you're referring to:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Managedatamodels

0 Karma
Reply
Solved! Jump to solution

vinod94
Contributor
‎02-06-2019 10:03 PM

Hi mate,

You can go to settings>under Knowledge - Data models . Search for Cisco_ios_event. Expand (>)and you will see an update and rebuild option.

If it still doesn't work, you can try this - try mentioning the index name(your index) if its not present in the eventtypes and macros.

Reply
Solved! Jump to solution

DBattisto
Communicator
‎02-19-2019 04:12 PM

Late reply: I did not see the 'update and rebuild' option. The problem is still occurring, but I have not had time to troubleshoot much.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...