I'm new to Splunk and was attempting to complete a quick deployment using network devices. I'm unable to get the Cisco Networks App to display any data. I'm not sure what I'm overlooking.
Cisco Networks Add-on: 2.5.4
Cisco Networks (App): 2.5.4
Splunk: Free version 7.1
1) Splunk is operational.
2) Cisco App/Addon > Browse more apps > install both app and addon
EDIT: Restart of Splunk is completed.
3) Configure Data Input: UDP 514 > Source Type cisco:ios > App Context: Cisco Networks (cisco_ios) > Index: Default or Custom created. > Submit.
Performing either of the below searches provides syslog traffic (tested with Real-Time for firewall syslogs and results are flowing).
@rich7177: The service requests a restart after installation of the apps. Restarts were conducted after the installation as well as after configuration of the data input.
@xpac: As mentioned, I'm using my firewall to send syslogs (UDP/514) . These transactions have already been confirmed successful when entering the above queries.
Have your restarted Splunk since you finished step 3? (I have NO idea why this would be required, but it's worth a shot. 🙂 )
There are a couple of things in the app that might cause this -
First, it uses data models for most of the stuff I can see. If those aren't working right for some reason that could cause this.
The rest of the searches also use
eventtype=cisco_ios-routing or similar in their search. When you run a search like
sourcetype="cisco:ios" | stats count by eventtype, sourcetype what sorts of combinations do you get?
First: It would be good to know how is your Splunk architecture, especially how are you feeding the Syslog to Splunk.
Are you simply using a standalone instance that does both the Search Head and Indexer? From your post, I would assume it is.
(The reason behind that question is to figure where is your parsing phase (Heavy Forwarder or Indexer), thus the Technical Add-on (TA) will need to be installed on that specific instance as well.)
source="udp:514", verify if the fields are being extracted accordingly.
Second: Syslog event format and data flow - it could be possible the events being received are not in the appropriate format expected by the TA. Feel free to share a raw event and obfuscate any confidential information and/or share us your data flow (ie: Syslog-ng server with UF --> IX).
Third: The next thing I would ask is: where is your data being indexed - which index? If you used a custom index (ie: index=ciscoios), make sure the index is part of your "Indexes searched by default" in your user role. ( `Settings > Access Controls > Roles > yourcurrent_role > Indexes searched by default
). By default, Splunk will make themain` index searched by default if an index is not specified in your SPL search.
Fourth: Edit the
cisco_ios_index macro (default:
index=ios) to include your index where the data resides. ie:
index=ios OR index=your_index
Anyhow, let us know what you figured or require further assistance.