I recently downloaded and installed both the Splunk for Cisco Firewalls Add-on and the Splunk for Cisco Security app. I noticed while reading the Splunk for Cisco Firewalls README that I could enable summary indexing to populate some of the Splunk for Cisco Security dashboards for me so the app would feel more responsive, so I followed the instructions on creating the local/macros.conf as specified under "Enabling summary indexing for this add-on".
However, now my "Firewall Overview" dashboard panes are showing no results. This makes some sense after following the rabbit trail:
So it looks like the method by which summary indexing is "enabled" is to edit the search macro used by the dashboards to pull the data from the summary indexes instead of the default indexes, and since the search which populates the summary index is disabled by default, there is no data in the summary index to pull from, so the dashboards show no results.
I'm pretty confident I could fix this by either modifying default/savedsearches.conf, or to follow best practice, create local/savedsearches.conf, copying and modifying the appropriate stanzas to enable the schedules on both of these searches. (Or, since the "Cisco Firewall - DataCube - Summary Index" search has default values, you can just edit it in manager and click "enable schedule" to turn it that one on, and splunk will update the local/savedsearches.conf for you. But -- I'm still not clear on whether the "Cisco Firewall - Datacube" is supposed to run on a regular basis. The README says yes, but the fact that its schedule is commented out in default/savedsearches.conf disables any "default" values so you have to specify them manually if enabling via manager, or forces you to edit the local/savedsearches.conf file manually. So maybe it's not supposed to run on a schedule??)
Anyway, it seems odd to me that the README specifies part of these instructions (creating the local/macros.conf) but not enough to actually enable using summary indexing (creating/updating local/savedsearches.conf). Any advice?
Edit:
So, I decided to see what happens if I enabled the index-populating search schedule and just for giggles, the other search's commented-out schedule and ran fill_summary_index.py to fill in the current month's worth of summary data. (That was probably way overkill but without examining exactly how the searches are written I figured better safe than sorry.) Result: the firewall overview panes are still empty.
Upon closer examination, all four panes' searches finish with a "| stats count by eventtype=...". Cut out the last pipe of each search and we suddenly get results, but with no eventtypes. Since all of the eventtypes defined by the Cisco Firewalls add-on start with a search for sourcetype=xxxx, and all of the events in the summary index have a sourcetype of "stash", am I correct in assuming the eventtypes don't exist for the purposes of this search, thus causing the search to yield no results??
If my assumption is correct, does that mean that the summary indexing feature of the Cisco Firewalls add-on is just plain broken?
cisco dashboards load takes ages. no fix to this ????
Doesn't seem so, unless you care to rewrite the summary indexing portions of the app/addon...
Did you ever figure this out? Right now my Cisco dashboards load ridiculously slow and I assumed it was due to a missing summary index of some sort. I haven't had time to dig into it at the level you have, so I was hoping for a quick fix. Thanks!
That's too bad. I'm going to open a support case to see if they have any words of wisdom. I'll post here if we find a fix. Thanks for responding!
No, I never did find any answer to this. I am assuming at the moment (especially given no answer from Splunk) that this is a depreciated and/or broken feature and that summary indexing in this app is not configurable out of the box.
Also just realized the docs refer to a stanza in "cisco_firewall_addon/local/macros.conf", but the current version has been renamed and it would now be "Splunk_CiscoFirewalls/local/macros.conf", so I'm going to assume this is a depreciated and/or broken feature from an earlier version.