- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to Troubleshooting syslog data source with sou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I'm having some really odd issues with the TA-Meraki app. It seems I have my data set to directly come in on 514 and can search it in Splunk ES but it is not usable in ESS. From the TA details, using CIM 4.9, It seems I have the tags and event types listed. I cannot search my data by source type even though it does exist as meraki. I have also even tried overriding the source name in the data input but to no luck. I can't see this properly mapping my data if the search fails on source type and furthermore, in data summary - it is not listed for hosts, sources or source types.
What would everyone recommend I check from this point and in order?
Thank you,
BT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.
Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.
Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
