All Apps and Add-ons

Why is the Cisco Networks App for Splunk Enterprise not parsing data?

pierrejordonnel
Explorer

Maybe someone can help me with this. I followed the instructions and changed my sourcetype to syslog since I do not have any sourcetype built for cisco:ios. I have yet to see any data even though I have tons of data coming in. Can anyone please help me figure out what I'm currently doing wrong?

Any and all help is appreciated

--Pierré

0 Karma
1 Solution

mikaelbje
Motivator

Hi,

  1. Do you see anything if you try this search: index=* sourcetype=cisco:ios . If so, change your permissions to search whatever index you put your data in to be searched by default
  2. Did you install both the app and the add-on on the search head? Add-on on the indexer
  3. Can you provide me with some log samples of the raw data as you see it in Splunk in the current syslog sourcetype?

View solution in original post

mikaelbje
Motivator

Hi,

  1. Do you see anything if you try this search: index=* sourcetype=cisco:ios . If so, change your permissions to search whatever index you put your data in to be searched by default
  2. Did you install both the app and the add-on on the search head? Add-on on the indexer
  3. Can you provide me with some log samples of the raw data as you see it in Splunk in the current syslog sourcetype?

pierrejordonnel
Explorer

It started to pick up information in the sourcetype=cisco:ios. I think I figured out the issue. I thought that there was no add-on due to only reading the title. I have added the add-on and that fixed it. Thanks for responding to me so quickly Mike.

mikaelbje
Motivator

Great! No problem 🙂 I'd be happy if you could give the app and add-on a rating after you've tried them out for a while 🙂

0 Karma

pierrejordonnel
Explorer

It looks like it started to pull data after I restarted the splunk search head. It apparently only see's port flappings but not unique devices and other issues that are probably being reported by my cisco devices.

0 Karma