Why I'm I not getting any data in Switch Dashboard in Cisco Networks App in Splunk. I see some visual data only in Cisco Networks Overview. Apart from Networks Overview, I cannot see any data anywhere in the app such as Audit, switching, Routing, security, performance, wireless, etc.
The method I used to here as below;
1. Wlc, and cisco switch log files are routed to syslog-ng server. and I installed Splunk Universal-forwarder on top of it.
2. Authorized forwarder to connect to splunk server:
sudo /opt/splunkforwarder/bin/splunk add forward-server splunkserverip:port -auth admin:changeme
3. added the directory for the monitoring:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/switches/
Please help me with your response to complete the task of utilizing the all the options of Cisco networks app.
See the Help page in the app for all the parameters you need to set on your devices.
Be sure to set the following as well
logging trap informational
to enable sending all types of logs
You need a high velocity of logs and lots of devices, and most importantly your devices actually have to send the types of logs that are relevant for this use case.
Thanks for your response. I'm getting all the logs into my syslog server. I have no problem with logs. My question is that, I'm able to see the received logs data visually only in Cisco Networks Overview tab in the Cisco networks app in the splunk. Apart from Networks Overview option in the app, I cannot see the data in other options of the app such as Audit, switching, Routing, security, performance, wireless, etc.
Make sure your user searches whatever index your Cisco logs are in by default. Check your role settings.
I checked my role, I' have all the privileges to read , write and execute as an administrator. I'm able to search the the search box, the data is flowing. but I want to see that data in the networking app.
I reconfigured again today,
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/switches -index Ciscoswitchesindex -sourcetype Cisco_logs .
What else should I configure more.
Why did you set sourcetype as Cisco_logs when the app expects sourcetype to be cisco:ios ?
You're saying that you can see the data in the search app. What is the search string you're using? If it includes an index=whatever that means you need to change your role to search that index BY DEFAULT in role settings.
Whey I use the log path as below;
source="/var/log/switches/switch1.log" sourcetype=switch-toosmall host=syslogsplunk
but splunk shows the sourcetype=switch-toosmall and host=syslogsplunk
syslogsplunk is log server host name. and I see sourcetype is automatically generated I never mentioned "switch-toosmall".
Do you want me to change the source type to be Cisco: ios?
Sourcetype must be "cisco:ios" or "syslog".
In Splunk the sourcetype plays an important role. It is the main way of categorizing similar events. All apps rely on specific sourcetypes. It's mentioned in the documentation.