I'm forwarding the Meraki syslogs to the server that Splunk is on (port 514 udp). I'm seeing logs and can can do basic searches in them.
Was hoping the TA-meraki app could help me dive even more into them.
I have the TA-meraki app installed. Just don't understand how to use the app or do the suggested steps in the details page. I'm only using Splunk as a way to interpret Meraki logs. Could use some help understand where to use the app and how to appropriately configure it to get even more info out of the Meraki logs.
I haven't tried sending the meraki logs directly to splunk; I've always sent it to a syslog server instead.
As long as you apply the data as sourcetype=meraki and put it into index meraki from splunk it should still pick it up.
I would probably create a new port (i.e. 51411 in splunk), and force sourcetype=meraki and index=meraki. (thereby not to interfere with anything else)
If you do this, you will need to go into the meraki dashboard and select the alternative new port.
The docs I wrote were targeting on boarding the data via syslog-ng as a sample.
As soon as you do that and you have the TA loaded it should pick it up automatically.
I have followed all steps properly and able to get meraki logs as expected.
However, I was wondering if there was a Meraki app that provided more visual data like dashboard views or pre-loaded searches ?
Sorry for the long delay; somehow I'm not getting notified when responses come in.
This TA is only a set of extractions to make it comply with the common information model. With any common information model dashboard that uses the relevant models you will get visualization.
This is the foundation... everything else can be built on top of this extraction.