https://splunkbase.splunk.com/app/1467/#/details

Installation
Step 1: App installation

Install the Cisco Networks (cisco_ios) App on your search head
Install the Cisco Networks Add-on (TA-cisco_ios) on your search head AND indexers/heavy forwarders
Syslog input: Enable a UDP input with a custom port number on your Splunk forwarder or Splunk indexer. Set the sourcetype to cisco:ios or syslog
Smart Call Home input: Enable a TCP input with a custom port number on your Splunk forwarder or Splunk indexer. Set the sourcetype to Cisco:SmartCallHome
Step 2: Configure your Cisco devices

Cisco IOS

This includes all IOS variants. Not all commands are supported on all models

Basic logging and timestamping
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service sequence-numbers
logging trap informational
logging host [YOUR SYSLOG/SPLUNK SERVER IP] transport udp port [YOUR UDP PORT]
      
Enable change auditing
archive
log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
!
login on-failure log
login on-success log
logging userinfo
!
      
Monitor interface changes
General
logging event trunk-status global
logging event link-status global
  
Interface level
logging event trunk-status
logging event spanning-tree
logging event status
        
MAC move notifications, STP logging, IP SLA logging etc.
mac address-table notification mac-move
spanning-tree logging
ip sla logging traps
ip dhcp limit lease log
ip dhcp conflict logging
ip nat log translations syslog
xconnect logging pseudowire status
ntp logging
epm logging
      
For DHCP utilization logging on your devices, do this for each pool
utilization mark high 80 log
      
For ARP threshold logging, do this on your SVIs and IP interfaces
arp log threshold entries 2048
      
TrustSec
If you are using Cisco TrustSec, add the following

cts sxp log binding-changes
cts logging verbose
      
ACL logging
General
Remember to add the log or log-input keyword to your access list entries if you want to enable access list logging

Access list correlation tags
ip access-list logging hash-generation
      
CPU and Memory Utilization logging
This generates CPU and memory notifications. CPU notifications if the CPU has been over 80% for more than 5 seconds. Memory if there is less than 20000KB.

process cpu threshold type total rising 80 interval 5
memory free low-watermark processor 20000
memory free low-watermark io 20000
      
Smart Call Home logging
Enabling Smart Call home allows you to get extended device information from your devices at specific intervals

ip http client source-interface [SOURCE INTERFACE]
!
service call-home  
call-home  
contact-email-addr [YOUR.EMAIL@ADDR.ESS]
site-id ["YOUR_SITE_NAME"]
profile "Splunk"  
  destination transport-method http  
  destination address http http://[YOUR SYSLOG/SPLUNK SERVER IP]:[YOUR SMART CALL HOME TCP PORT]
  subscribe-to-alert-group diagnostic severity debug  
  subscribe-to-alert-group environment severity debug  
  subscribe-to-alert-group inventory  
  subscribe-to-alert-group inventory periodic daily 22:30
!
      
NX-OS

This includes all NX-OS variants. Not all commands are supported on all models

Basic logging and timestamping
logging logfile messages 6
logging server [YOUR SYSLOG/SPLUNK SERVER IP] 6 use-vrf [YOUR MGMT VRF]
logging timestamp milliseconds
logging monitor 6
      
Enable change auditing
This feature is not supported on the NX-OS platform

Monitor interface changes
General
  
logging message interface type ethernet description
logging event link-status default
logging event trunk-status default
        
Interface level
logging event port link-status
logging event port trunk-status
        
MAC move notifications, STP logging, IP SLA logging etc.
mac address-table notification mac-move
ntp logging
      
ACL logging
General
Remember to add the log or log-input keyword to your access list entries if you want to enable access list logging

NX-OS ACL logging
logging level acllog 6
acllog match-log-level 6
logging logfile messages 6
      
Smart Call Home logging
Enabling Smart Call home allows you to get extended device information from your devices at specific intervals

callhome
  site-id ["YOUR_SITE_NAME"]
  email-contact [YOUR.EMAIL@ADDR.ESS]
  phone-contact [YOUR PHONE NUMBER]
  streetaddress S01
  destination-profile Splunk
  destination-profile Splunk format XML
  destination-profile Splunk transport-method http
  destination-profile Splunk http http://[YOUR SYSLOG/SPLUNK SERVER IP]:[YOUR SMART CALL HOME TCP PORT]
  destination-profile Splunk alert-group Diagnostic
  destination-profile Splunk alert-group EEM
  destination-profile Splunk alert-group environmental
  destination-profile Splunk alert-group inventory
  destination-profile Splunk alert-group license
  destination-profile Splunk alert-group linecard-hardware
  destination-profile Splunk alert-group supervisor-hardware
  destination-profile Splunk alert-group system
  destination-profile Splunk alert-group test
  transport http use-vrf [YOUR MGMT VRF]
  enable
  periodic-inventory notification interval  1
  periodic-inventory notification timeofday 22:30