I have switches, WLC and APs sending syslog to rsyslog.
Splunk is monitoring the folders and ingesting data properly (sourcetype for all 3: cisco:ios).
The IOS devices and the WLC are showing up in the overview, but not the APs.
Also, none of the detail dashboards have any info. Any idea what I might be missing?
Hello, I don't have any logs seen in Cisco Network. But in simple search engine I see them. Where is a problem?
Hi,
Make sure whatever index you are storing your data in is searchable by default. That should sort the issue with no data in the panels.
The app tries to determine if the event is from an IOS, WLC or AP based on the fields it finds. For standalone APs this is based on the ap_mac field. A number of factors may make it hard for the app to determine this correctly as the events are basically the same format regardless of IOS, AP or WLC.
Please post a few raw events and I'll try to spot the issue.
I just verified that the indexes are/were searchable by default.
None of the APs are standalone, though. They are all managed through the WLC.
Ok, as far as I remember the AP section only works for standalone APs. Please post a few raw events and I'll check it.
UPDATE:
WAPs are showing up in the IOS section. How does the app determine which is which??