All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Firewall Add-on - No Data

ahammond
Explorer
‎03-14-2012 10:02 AM

I have installed both Cisco Security Suite and Cisco Firewall Add-On, I have UDP port excepting syslogs from an ASA with a souretype of cisco_firewall. I can view realtime data in Security Suite but the Cisco Firewall shows no results when I select Overview or Real Ti9me Dashboard.

The Overview inspect shows:

This search has completed and found 362 matching events. However, the transforming commands in the highlighted portion of the following search:

search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

over the time range:

3/14/12 3:00:00.000 AM – 3/14/12 3:00:00.000 PM

generated no results.

However if I select a time from the drop down or change the search to search eventtype="ciscofirewall" | bin _time span=5m results are disaplayed?

0 Karma
Reply

MarioM
Motivator
‎03-14-2012 10:23 AM

sourcetype actually should be cisco_asa.

cisco_firewall is the eventtype search for %ASA OR %PIX OR %FWSM

sourcetype=cisco_firewall is only use for events pre-indexed as cisco_firewall sourcetype. Back-support community version <= 4.1.4

And by default the app should apply a sourcetype then there is no need to set a sourcetype.

But it might not be the reason of your issue.

0 Karma
Reply

ahammond
Explorer
‎03-15-2012 08:34 AM

App setup wizard was used to create UDP Data Input and it did so with sourcetype blank. No results showed in suite or add on. I changed the data inputs source type to cisco_asa first so I have some data indexed this way but no results showed again, it was only after I changed source type to cisco_firewall that results showed. Also inspects show all failed searches are by event type but no event types exist in manager interface.

inspect examples
search eventtype="cisco_firewall" | bin _time span=5m
search eventtype=cisco_ips gc_score<0 | lookup geoip clientip as src_ip | bin _time span=5m

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...