I have Cisco logs coming into my syslog-ng server, and I added the log file on a universal forwarder to monitor and send to a Splunk server. How do I check whether or not data is being dumped into the indexer? I also want to add Cisco devices to the Cisco Networks App in Splunk. How do I do this?
In my case there was no act of "adding devices" -- they just showed up as soon as data started flowing into the indexer and by show up I mean I was able to see them under Cisco Networks App for Splunk Enterprise. The thing was that I initially used snmp traps and NONE showed up. I figured later that I must use syslog but then the substance which syslog provides doesn't give me what I want to I was back to square one with my logs. In summary, if nothing shows up under Cisco Networks App for Splunk Enterprise then data isn't making it to the indexer. There isn't any manual task inside Cisco Networks App for Splunk Enterprise to add devices, as far as my knowledge goes.
I am having an issue, I am working with someone who has the Cisco Network Add-on for Splunk installed in the Syslog server, but not their Heavy Forwarder, also I see that the Cluster Master has the app and due to it, it was deployed to all four indexers as well. The TA and Cisco Network app is also installed on their utility search head, but I am not seeing any data. I see that the syslog installation of the TA has an inputs.conf file in the app/local folder, but none exists on the indexers because there is no configuration on the cluster master. Does there need to be any inputs.conf file in the app/local or not? Also should I install the TA on the HF as well?