All Apps and Add-ons

Cisco Firewall Add-On 2.0 w/ Splunk for Cisco Security - summary indexing

dbylertbg
Path Finder

I recently downloaded and installed both the Splunk for Cisco Firewalls Add-on and the Splunk for Cisco Security app. I noticed while reading the Splunk for Cisco Firewalls README that I could enable summary indexing to populate some of the Splunk for Cisco Security dashboards for me so the app would feel more responsive, so I followed the instructions on creating the local/macros.conf as specified under "Enabling summary indexing for this add-on".

However, now my "Firewall Overview" dashboard panes are showing no results. This makes some sense after following the rabbit trail:

  • The next section in the README goes on to explain how to update the schedules for the saved searches related to the summary indexing, specifically the "Cisco Firewall - Datacube" search, which the README says is included with "this add-on", but since there is no savedsearches.conf in the current version of the add-on (2.0), it couldn't possibly be included in the add-on.
  • However, the instructions also point you to the manager to edit the "default" schedule for the search. The manager view shows that the search is actually included with the Splunk for Cisco Security app.
  • Reviewing Splunk_CiscoSecuritySuite/default/savedsearches.conf reveals the source of the search "Cisco Firewall - Datacube", but the schedule for the search is commented out, so it won't run on a regular basis. I haven't checked yet to see if it gets called when you load the dashboard or not, but whether or not it does is a moot point because:
  • In the same savedsearches.conf, we find that the "Cisco Firewall - DataCube - Summary Index" search that populates the summary index in the first place is disabled ("enableSched = 0").

So it looks like the method by which summary indexing is "enabled" is to edit the search macro used by the dashboards to pull the data from the summary indexes instead of the default indexes, and since the search which populates the summary index is disabled by default, there is no data in the summary index to pull from, so the dashboards show no results.

I'm pretty confident I could fix this by either modifying default/savedsearches.conf, or to follow best practice, create local/savedsearches.conf, copying and modifying the appropriate stanzas to enable the schedules on both of these searches. (Or, since the "Cisco Firewall - DataCube - Summary Index" search has default values, you can just edit it in manager and click "enable schedule" to turn it that one on, and splunk will update the local/savedsearches.conf for you. But -- I'm still not clear on whether the "Cisco Firewall - Datacube" is supposed to run on a regular basis. The README says yes, but the fact that its schedule is commented out in default/savedsearches.conf disables any "default" values so you have to specify them manually if enabling via manager, or forces you to edit the local/savedsearches.conf file manually. So maybe it's not supposed to run on a schedule??)

Anyway, it seems odd to me that the README specifies part of these instructions (creating the local/macros.conf) but not enough to actually enable using summary indexing (creating/updating local/savedsearches.conf). Any advice?

Edit:

So, I decided to see what happens if I enabled the index-populating search schedule and just for giggles, the other search's commented-out schedule and ran fill_summary_index.py to fill in the current month's worth of summary data. (That was probably way overkill but without examining exactly how the searches are written I figured better safe than sorry.) Result: the firewall overview panes are still empty.

Upon closer examination, all four panes' searches finish with a "| stats count by eventtype=...". Cut out the last pipe of each search and we suddenly get results, but with no eventtypes. Since all of the eventtypes defined by the Cisco Firewalls add-on start with a search for sourcetype=xxxx, and all of the events in the summary index have a sourcetype of "stash", am I correct in assuming the eventtypes don't exist for the purposes of this search, thus causing the search to yield no results??

If my assumption is correct, does that mean that the summary indexing feature of the Cisco Firewalls add-on is just plain broken?

0 Karma

Akili
Path Finder

cisco dashboards load takes ages. no fix to this ????

0 Karma

dbylertbg
Path Finder

Doesn't seem so, unless you care to rewrite the summary indexing portions of the app/addon...

0 Karma

gdrapp
Explorer

Did you ever figure this out? Right now my Cisco dashboards load ridiculously slow and I assumed it was due to a missing summary index of some sort. I haven't had time to dig into it at the level you have, so I was hoping for a quick fix. Thanks!

0 Karma

gdrapp
Explorer

That's too bad. I'm going to open a support case to see if they have any words of wisdom. I'll post here if we find a fix. Thanks for responding!

0 Karma

dbylertbg
Path Finder

No, I never did find any answer to this. I am assuming at the moment (especially given no answer from Splunk) that this is a depreciated and/or broken feature and that summary indexing in this app is not configurable out of the box.

0 Karma

dbylertbg
Path Finder

Also just realized the docs refer to a stanza in "cisco_firewall_addon/local/macros.conf", but the current version has been renamed and it would now be "Splunk_CiscoFirewalls/local/macros.conf", so I'm going to assume this is a depreciated and/or broken feature from an earlier version.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...