All Apps and Add-ons

How to duplicate the Cisco Networks App and Cisco Security Suite to separate different groups of Cisco devices into separate indexes?

mmacdonald70
Explorer

We are trying to separate different groups of Cisco devices into separate indexes. These indexes will all be managed by the same groups of people so I don't believe that role based authentication will work in this case.

What I would like to do is duplicate the Cisco_Networks app and the Cisco_Security_Suite app and have each copy read from a different index ie:

Cisco_Networks_Network 1 uses index=network1
Cisco_Networks_Network 2 uses index=network2

All administrators should be able to pull up either app to see the status of devices in each network.

Unfortunately, I have no idea how to go about this (or if there is a better way). The purpose is simply to be able to differentiate between different networks.

0 Karma

mmacdonald70
Explorer

Out of curiosity, were you able to make any headway on a workaround for the panels not being index aware?

0 Karma

mikaelbje
Motivator

I now have a multi tenant version of the app ready. It's not free of charge. Contact me if you are interested.

The multi tenant version will also lift the license terms for the Cisco Networks app and let you use it commercially, but not resell it.

0 Karma

mikaelbje
Motivator

Copy the top search from cisco_ios/default/eventtypes.conf to cisco_ios/local/eventtypes.conf and add the index in the base search at the top in this file.

Please note that you may have issues with any panel driven by a data model since these may not be aware of indexes. The overview page uses a lot of these. I'll look into if there's a way around this.

You should also disable acceleration of the Cisco_IOS_Event data model in all but one app, otherwise you will have duplicate data and waste lots of resources.

If you intend to make this data available to your customers you should talk to your Splunk Sales Rep as I believe the standard licensing terms restrict you from running a shared hosted service unless you have an additional agreement.

mikaelbje
Motivator

Uhm you're right. I should probably move eventtypes.conf from the TA to the app. I'll look into that for the next version

0 Karma

mmacdonald70
Explorer

Thanks for looking into it. Do you think that this is something that I could correct temporarily for now?

0 Karma

mikaelbje
Motivator

Sure, give it a try. Let me know how it works. Remove it completely from the TA both on search heads and indexers. Add it to the app on the search heads

0 Karma

mmacdonald70
Explorer

So I just did this and it does seem to work. As you said, a bunch of the panels don't seem to reflect the change but "Diagnostic Messages" only lists the messages from the index in question.

0 Karma

mmacdonald70
Explorer

Thanks. I tried this but I came up to a bit of a roadblock. I copied the etc/apps/cisco_ios folder to etc/apps/network1_cisco_ios and fixed the permissions but I was unable to find the eventtypes file in this folder. I did locate this in:

etc/apps/TA-cisco-ios - There is a search string here but I'm not sure how to tie it to a different app. Would I need to make a copy of this as well and try to tie it to the new app?

etc/users/admin - this file is blank. There is no eventtype.conf file in the folder of any other user

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...