All Apps and Add-ons

Hello,
I try to use the cisco ios ta to parsing my ios logs.
I have created non standard sourcetype for my logs as follow :

[udp://XXX.XX.XX:514]
source = My-switch-name
sourcetype = network:cisco_switch
disabled = false
index = Network

and

[udp://XXX.XXX.XXX.XXX:514]
source = My-wlc-ap
sourcetype = network:cisco_wlc
disabled = false
index = Network

in the app, i have changed my eventtypes.conf as follow

[cisco_ios]

search = sourcetype=cisco:ios

search = sourcetype=network:*

but the logs are not parsed.

I'm new to Splunk and I have maybe forgotten something ?

Thanks for you help and sorry for my English 😄

thank you fir your answer.
With your help i have now a working app.

i have changed in props.conf of the TA-cisco_ios following line :

[cisco:ios]

[(?::){0}network:cisco_*]
...
nothing in the transforms.conf

and in the cisco_ios i have created a local/eventtypes.conf with theses lines :
[cisco_ios]
search = (sourcetype=network:cisco_switch OR sourcetype=network:cisco_wlc OR sourcetype=network:cisco_coeur_reseau)

Thanks again

eventtypes don't parse your data., props and transforms do. If you are creating a custom sourcetype for field extraction purposes you need to create the extractions in props.conf and transforms.conf.

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...