All Apps and Add-ons

How do I install the Cisco Networks app and get it up and running?

john_jackson
New Member

How do I install cisco network app and get it up and running?

0 Karma

mikaelbje
Motivator

That explains it. You need 6.1+ as stated on the app's download page.

If you upgraded from previous versions of the apps a total delete of the app's directories continued by a reinstall is recommended if you are having issues. A lot has changed.

0 Karma

davparker
Explorer

I've already got Syslog data in NCS Prime and Solarwainds Orion. I'd rather collect data from these aggregate sources. Is this supported somehow?
Thanks,
David

0 Karma

mikaelbje
Motivator

Please create a new question/thread instead of reusing an existing one 🙂

john_jackson
New Member

New Cisco Splunk app we have installed is creating data models in local directory(we only have 13G of available space on local) and we are running out of space. Which is stopping complete Splunk and makes it unusable to anyone. temporarily disabled Cisco app and will enabled once we have solution.

0 Karma

mikaelbje
Motivator

I suggest you consult a Splunk professional to get your setup tuned. For the index where you store your IOS logs you need to set a tstatsHomePath to a volume that is outside of your Splunk working dir, i.e. where you store your data. See http://answers.splunk.com/answers/108183/how-to-change-the-path-of-datamodel-summary.html

It's not particularly complicated, but requires some knowledge about how Splunk stores accelerated indexes. Another option is to disable the acceleration of the Cisco IOS Event data model, but that will slow down your dashboards.

I can't provide any more answers as there have been numerous questions already in this thread, a lot of general and unrelated to the app.

0 Karma

mikaelbje
Motivator

We'd need an official response from Splunk to get a good answer. Generally all roles should run the same version, however minor version differences are ok unless there's a specific bug, so mixing i.e. 6.2.1 with 6.2.2 is ok. I would not mix 6.2 with 6.1 or 6.1 with 6.0 except in the interim while you are upgrading servers. Things may break and it's hard to predict what. Other times everything appears to work just fine.

You don't have to upgrade your forwarders.

Please vote or check helfpul answers as Accepted.

0 Karma

john_jackson
New Member

what would happen if indexer and searchhead are running different versions of splunk?

0 Karma

john_jackson
New Member

Thank you Sir, will upgrade and see how it goes from there.

0 Karma

mikaelbje
Motivator

I suspect you only have a single server Splunk instance. In this case add a new UDP input on port 514 and set sourcetype as "syslog". Leave source blank.

Next step is to install the Cisco Networks app and Cisco Networks add-on. This is done through Apps - Manage apps. The Cisco Networks app contains a Help page with information avout what you should configure on your Cisco devices.

If you need help installing apps in general I would recommend that you consult the Splunk Enterprise documentation at docs.splunk.com.

For distributed environments there are various ways you can collect the logs. I won't get into detail here, but for a best practice configuration you normally receive the logs with a Syslog daemon and forward the logs to your Splunk indexers with a Universal Forwarder. A Splunk consultant can help you get this set up properly. There's also good examples in the Splunk docs.

john_jackson
New Member

Does this app need smart call home to work?

0 Karma

mikaelbje
Motivator

No, not at all. Smart Call Home is only needed if you want to collect inventory data from your devices. Syslog suffices for most uses.

I'll clarify that in the docs.

0 Karma

john_jackson
New Member

ok, i have it installed correctly and udp is open but search data not being populated in the app

0 Karma

mikaelbje
Motivator

What if you do a manual search for:

index=* sourcetype=cisco:ios OR sourcetype=syslog

Do you see any data? Is the sourcetype syslog or cisco:ios? If it's syslog please paste the raw event here for me to see. If it's cisco:ios check the index. If the index is something else than main you need to go to Settings - access controls - roles - user rolec- indexes searched by default - add your index

0 Karma

john_jackson
New Member

Hi Mikael,
We have installed this app but not seeing any results on dashboards. I have changed default index=network_syslog to replicate ours.
I have tried running this dashboard searches with our index name and source(syslog) but it doesnot come back with results though we have data for

index=network_syslog sourcetype=syslog results are displayed

index=network_syslog sourcetype=syslog eventtype="cisco_ios-ipsla" | eval state=case(state_to == "Up", 1, state_to == "Down", -1) | strcat dvc " " ip_sla_id dvc_ip_sla_id | timechart avg(state) AS state BY dvc_ip_sla_id | fillnull value=0 no results founds

Do we need to configure anything on routers or network devices?

0 Karma

mikaelbje
Motivator

Hmm, try not setting source as syslog for your UDP input. Leave source empty. Sourcetype however can be set to syslog. Paste the event's contents as you see it in Splunk. Also let me know the sourcetype and source it shows up with. I'll run that through a regex match to check what's wrong.

Another trick might be to set:

no_appending_timestamp = true

For the UDP input. You'll have to do that in the config files though.

0 Karma

yanivdutt
Explorer

I have tried this settings but it does not work.
We have all our network devices sending logs to syslog-ng server(forwarder installed) from where logs are sent to Splunk indexers.
Do we need to do something on network devices to make this app work or above mechanism works?
can you please provide any documention for forwarders configurations to make this app work

0 Karma

mikaelbje
Motivator

I asked for an example log. If you could please provide one I am more than willing to help you.

Did you also install the Cisco Networks Add-on on your indexer? You need the add-on on your indexers. On the search head you need both the app and add-on.

0 Karma

john_jackson
New Member

we still don’t see data even after installing app on indexers. Add on on all indexers, app and add-on on search head. Screen shot attached.

0 Karma

mikaelbje
Motivator

Screenshot received by e-mail showing dashboards failing to load search results from peers/indexers (search ended prematurily)

Never seen this before. What Splunk version are you on?

I also need to see one of the log lines from your Cisco devices as indexed by Splunk. You mentioned that you saw them when you searched for sourcetype=syslog. I need the raw event as you see it in Splunk. No screenshots please.

You also mentioned that you opened up a UDP input but that you are using a syslog daemon. If you are indexing the files created by your syslog daemon you don't need to open up a UDP input on the Splunk server.
Please send me the contents of your monitor stanza for the syslog files in the inputs.conf on your syslog server.

Please also clarify whether you have installed
* TA-cisco_ios on your indexers
* cisco_networks and TA-cisco_ios on search heads

I appreciate it if you continue to post the questions online. There are other people out there who might be able to help. This is most likely not an issue directly related to the app, but to your specific configuration.

Mikael

0 Karma

john_jackson
New Member

Mikael, getting some data now but still a lot of data not showing up. Any ideas?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...