All Apps and Add-ons

Why am I not getting any data in the Switch Dashboard of the Cisco Networks App for Splunk Enterprise?

splunkfly
New Member

Why I'm I not getting any data in Switch Dashboard in Cisco Networks App in Splunk. I see some visual data only in Cisco Networks Overview. Apart from Networks Overview, I cannot see any data anywhere in the app such as Audit, switching, Routing, security, performance, wireless, etc.

The method I used to here as below;
1. Wlc, and cisco switch log files are routed to syslog-ng server. and I installed Splunk Universal-forwarder on top of it.
2. Authorized forwarder to connect to splunk server:
sudo /opt/splunkforwarder/bin/splunk add forward-server splunkserverip:port -auth admin:changeme
3. added the directory for the monitoring:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/switches/

Please help me with your response to complete the task of utilizing the all the options of Cisco networks app.

0 Karma

mikaelbje
Motivator

Sourcetype must be "cisco:ios" or "syslog".

In Splunk the sourcetype plays an important role. It is the main way of categorizing similar events. All apps rely on specific sourcetypes. It's mentioned in the documentation.

0 Karma

mikaelbje
Motivator

See the Help page in the app for all the parameters you need to set on your devices.

Be sure to set the following as well

logging trap informational

to enable sending all types of logs

You need a high velocity of logs and lots of devices, and most importantly your devices actually have to send the types of logs that are relevant for this use case.

0 Karma

splunkfly
New Member

Thanks for your response. I'm getting all the logs into my syslog server. I have no problem with logs. My question is that, I'm able to see the received logs data visually only in Cisco Networks Overview tab in the Cisco networks app in the splunk. Apart from Networks Overview option in the app, I cannot see the data in other options of the app such as Audit, switching, Routing, security, performance, wireless, etc.

0 Karma

mikaelbje
Motivator

Make sure your user searches whatever index your Cisco logs are in by default. Check your role settings.

0 Karma

splunkfly
New Member

I checked my role, I' have all the privileges to read , write and execute as an administrator. I'm able to search the the search box, the data is flowing. but I want to see that data in the networking app.
I reconfigured again today,
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/switches -index Cisco_switches_index -sourcetype Cisco_logs .

What else should I configure more.

0 Karma

mikaelbje
Motivator

Why did you set sourcetype as Cisco_logs when the app expects sourcetype to be cisco:ios ?

You're saying that you can see the data in the search app. What is the search string you're using? If it includes an index=whatever that means you need to change your role to search that index BY DEFAULT in role settings.

0 Karma

splunkfly
New Member

Whey I use the log path as below;
source="/var/log/switches/switch1.log" sourcetype=switch-too_small host=syslog_splunk

but splunk shows the sourcetype=switch-too_small and host=syslog_splunk

syslog_splunk is log server host name. and I see sourcetype is automatically generated I never mentioned "switch-too_small".

Do you want me to change the source type to be Cisco: ios?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!