All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

User is unable to see the data in TA-Meraki App

pratapa
Explorer
‎05-12-2020 02:31 AM

  1. We got a requirement to install TA-Meraki app in splunk

  2. Downloaded the zip file from the link provided

https://splunkbase.splunk.com/app/3018/

copied the zip file to Splunk search Head server to the location /opt/splunk/etc/apps

  1. Unzipped the file

A folder with TA-Meraki has been created.

Changed the owner and group of the folder TA-Meraki to splunk:splunk recursively.

  1. Restarted Splunk.

/opt/splunk/bin/splunk restart

We could able to see the app TA-meraki in splunk web

  1. To send log data from Meraki to Splunk server, enable and add your syslog server

in Network-wide >> General >> Reporting >> Syslog servers.

This needs to be done by the Application team on Meraki device.

Application team confirmed that this has been done.

  1. We have created index Meraki and added the port 514 to Data inputs in Splunk.

User complained that the device is logging successfully into splunk but nothing is appearing in the app and the
source is still showing syslog rather than Meraki

What are the steps that we are missing.

Is inputs.conf file needs to be created? If yes, where we need to create the file. On splunk or on Meraki device.

Is sourcetype Meraki needs to be created?

If yes, can we follow the below method.

Go to the path /opt/splunk/etc/apps/TA-meraki/local on Splunk search head server

and create props.conf file (props.conf file does not exist) with the following stanza

[source=]
sourcetype=meraki

Restart splunk.

0 Karma
Reply

vikramyadav
Contributor
‎11-21-2020 11:52 AM

Hi @pratapa

If you don't see inputs created you can create a inputs.conf in local directory.
Sampleconfigs.

inputs.conf

[default]
host_segment = 4

[monitor:///logpartition/*/meraki/]
sourcetype = meraki
index=meraki

[monitor:///logpartition/*/meraki/]
sourcetype = meraki
index=meraki

props.conf
TRANSFORMS-meraki_date_clipper = meraki_date_clipper

transforms.conf
[meraki_date_clipper]
DEST_KEY = _raw
REGEX = (.*\s1\s)\d{8,10}\.\d{9}\s(.*)
FORMAT = $1$2

--------------------------------------------------------

If this helps your like will be appreciated😊



0 Karma
Reply

astackpole
Path Finder
‎11-16-2020 01:03 PM

Yes, you need to set the index and sourcetype to meraki so the inputs.conf should look like this (if you're still using udp 514):

[udp:514]
index=meraki
sourcetype=meraki

In addition, make sure the TA-meraki app is also installed on your indexers. Once both of these changes are made you should see CIM-compliant data for Meraki on your Search Head.

0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...