We got a requirement to install TA-Meraki app in splunk
Downloaded the zip file from the link provided
https://splunkbase.splunk.com/app/3018/
copied the zip file to Splunk search Head server to the location /opt/splunk/etc/apps
A folder with TA-Meraki has been created.
Changed the owner and group of the folder TA-Meraki to splunk:splunk recursively.
/opt/splunk/bin/splunk restart
We could able to see the app TA-meraki in splunk web
in Network-wide >> General >> Reporting >> Syslog servers.
This needs to be done by the Application team on Meraki device.
Application team confirmed that this has been done.
User complained that the device is logging successfully into splunk but nothing is appearing in the app and the
source is still showing syslog rather than Meraki
What are the steps that we are missing.
Is inputs.conf file needs to be created? If yes, where we need to create the file. On splunk or on Meraki device.
Is sourcetype Meraki needs to be created?
If yes, can we follow the below method.
Go to the path /opt/splunk/etc/apps/TA-meraki/local on Splunk search head server
and create props.conf file (props.conf file does not exist) with the following stanza
[source=]
sourcetype=meraki
Restart splunk.
Hi @pratapa
If you don't see inputs created you can create a inputs.conf in local directory.
Sampleconfigs.
inputs.conf
[default]
host_segment = 4
[monitor:///logpartition/*/meraki/]
sourcetype = meraki
index=meraki
[monitor:///logpartition/*/meraki/]
sourcetype = meraki
index=meraki
props.conf
TRANSFORMS-meraki_date_clipper = meraki_date_clipper
transforms.conf
[meraki_date_clipper]
DEST_KEY = _raw
REGEX = (.*\s1\s)\d{8,10}\.\d{9}\s(.*)
FORMAT = $1$2
--------------------------------------------------------
If this helps your like will be appreciated😊
Yes, you need to set the index and sourcetype to meraki so the inputs.conf should look like this (if you're still using udp 514):
[udp:514]
index=meraki
sourcetype=meraki
In addition, make sure the TA-meraki app is also installed on your indexers. Once both of these changes are made you should see CIM-compliant data for Meraki on your Search Head.