All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco Firewall Add-on - No Data

ahammond
Explorer
‎03-14-2012 10:02 AM

I have installed both Cisco Security Suite and Cisco Firewall Add-On, I have UDP port excepting syslogs from an ASA with a souretype of cisco_firewall. I can view realtime data in Security Suite but the Cisco Firewall shows no results when I select Overview or Real Ti9me Dashboard.

The Overview inspect shows:

This search has completed and found 362 matching events. However, the transforming commands in the highlighted portion of the following search:

search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

over the time range:

3/14/12 3:00:00.000 AM – 3/14/12 3:00:00.000 PM

generated no results.

However if I select a time from the drop down or change the search to search eventtype="ciscofirewall" | bin _time span=5m results are disaplayed?

0 Karma
Reply

MarioM
Motivator
‎03-14-2012 10:23 AM

sourcetype actually should be cisco_asa.

cisco_firewall is the eventtype search for %ASA OR %PIX OR %FWSM

sourcetype=cisco_firewall is only use for events pre-indexed as cisco_firewall sourcetype. Back-support community version <= 4.1.4

And by default the app should apply a sourcetype then there is no need to set a sourcetype.

But it might not be the reason of your issue.

0 Karma
Reply

ahammond
Explorer
‎03-15-2012 08:34 AM

App setup wizard was used to create UDP Data Input and it did so with sourcetype blank. No results showed in suite or add on. I changed the data inputs source type to cisco_asa first so I have some data indexed this way but no results showed again, it was only after I changed source type to cisco_firewall that results showed. Also inspects show all failed searches are by event type but no event types exist in manager interface.

inspect examples
search eventtype="cisco_firewall" | bin _time span=5m
search eventtype=cisco_ips gc_score<0 | lookup geoip clientip as src_ip | bin _time span=5m

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...