How do I install cisco network app and get it up and running?
I suspect you only have a single server Splunk instance. In this case add a new UDP input on port 514 and set sourcetype as "syslog". Leave source blank.
Next step is to install the Cisco Networks app and Cisco Networks add-on. This is done through Apps - Manage apps. The Cisco Networks app contains a Help page with information avout what you should configure on your Cisco devices.
If you need help installing apps in general I would recommend that you consult the Splunk Enterprise documentation at docs.splunk.com.
For distributed environments there are various ways you can collect the logs. I won't get into detail here, but for a best practice configuration you normally receive the logs with a Syslog daemon and forward the logs to your Splunk indexers with a Universal Forwarder. A Splunk consultant can help you get this set up properly. There's also good examples in the Splunk docs.
No, not at all. Smart Call Home is only needed if you want to collect inventory data from your devices. Syslog suffices for most uses.
I'll clarify that in the docs.
What if you do a manual search for:
index=* sourcetype=cisco:ios OR sourcetype=syslog
Do you see any data? Is the sourcetype syslog or cisco:ios? If it's syslog please paste the raw event here for me to see. If it's cisco:ios check the index. If the index is something else than main you need to go to Settings - access controls - roles - user rolec- indexes searched by default - add your index
We have installed this app but not seeing any results on dashboards. I have changed default index=network_syslog to replicate ours.
I have tried running this dashboard searches with our index name and source(syslog) but it doesnot come back with results though we have data for
index=network_syslog sourcetype=syslog results are displayed
index=networksyslog sourcetype=syslog eventtype="ciscoios-ipsla" | eval state=case(stateto == "Up", 1, stateto == "Down", -1) | strcat dvc " " ipslaid dvcipslaid | timechart avg(state) AS state BY dvcipslaid | fillnull value=0 no results founds
Do we need to configure anything on routers or network devices?
Hmm, try not setting source as syslog for your UDP input. Leave source empty. Sourcetype however can be set to syslog. Paste the event's contents as you see it in Splunk. Also let me know the sourcetype and source it shows up with. I'll run that through a regex match to check what's wrong.
Another trick might be to set:
no_appending_timestamp = true
For the UDP input. You'll have to do that in the config files though.
I have tried this settings but it does not work.
We have all our network devices sending logs to syslog-ng server(forwarder installed) from where logs are sent to Splunk indexers.
Do we need to do something on network devices to make this app work or above mechanism works?
can you please provide any documention for forwarders configurations to make this app work
I asked for an example log. If you could please provide one I am more than willing to help you.
Did you also install the Cisco Networks Add-on on your indexer? You need the add-on on your indexers. On the search head you need both the app and add-on.