I recently changed some things around our Splunk instance at the request of my customer. On our production system, there were no issues. But when I went back to clean up the lab side, I noticed that the Cisco App stopped working.
On the main page, it only displays port flapping, but nothing else. When I go manually search for sourcetype="cisco:ios", I get thousands of results.
The only thing that I changed was splitting up which port our switches and routers send syslogs to. Again, they appear to be indexing properly and are getting tagged as 'cisco:ios'.
Any suggestions? Thanks!
Edit: One year later (almost to the day), I encountered the same issue but had a different cause/solution. I have the TA-Cisco-ios and Splunk_TA_nix running on my searchhead. The incoming Cisco events were being tagged with the eventtype 'nix-all-logs' due to a configuration in Splunk_TA_nix. To fix this issue, I had to create a local copy of 'eventtypes.conf' for Splunk_TA_nix and specify that several of the *nix eventtypes should only be drawn from the linux index. It fixed my issues, my Cisco events were tagged properly, and the app worked again.
Thanks for the suggestion! I'm afraid I'm not familiar with that process. Do you have a good link to follow? This is what I've found on data models, and am not sure if this is what you're referring to:
You can go to settings>under Knowledge - Data models . Search for Cisco_ios_event. Expand (
>)and you will see an update and rebuild option.
If it still doesn't work, you can try this - try mentioning the index name(your index) if its not present in the eventtypes and macros.