All Apps and Add-ons

How to Troubleshooting syslog data source with source type missing for Meraki-Technology Add-on?

brian1_tate
Path Finder

Hello all,

I'm having some really odd issues with the TA-Meraki app. It seems I have my data set to directly come in on 514 and can search it in Splunk ES but it is not usable in ESS. From the TA details, using CIM 4.9, It seems I have the tags and event types listed. I cannot search my data by source type even though it does exist as meraki. I have also even tried overriding the source name in the data input but to no luck. I can't see this properly mapping my data if the search fails on source type and furthermore, in data summary - it is not listed for hosts, sources or source types.

What would everyone recommend I check from this point and in order?

Thank you,
BT

0 Karma
1 Solution

brian1_tate
Path Finder

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

View solution in original post

0 Karma

brian1_tate
Path Finder

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...