All Apps and Add-ons

Cisco Networks App/Add-on

splunknvi
Engager

I'm new to Splunk and was attempting to complete a quick deployment using network devices. I'm unable to get the Cisco Networks App to display any data. I'm not sure what I'm overlooking.

Software Versions:
Cisco Networks Add-on: 2.5.4
Cisco Networks (App): 2.5.4
Splunk: Free version 7.1

Procedure:
1) Splunk is operational.
2) Cisco App/Addon > Browse more apps > install both app and addon
EDIT: Restart of Splunk is completed.
3) Configure Data Input: UDP 514 > Source Type cisco:ios > App Context: Cisco Networks (cisco_ios) > Index: Default or Custom created. > Submit.

Performing either of the below searches provides syslog traffic (tested with Real-Time for firewall syslogs and results are flowing).

Queries:
source="udp:514"

sourcetype="cisco:ios"

Update 2018-05-28:
@rich7177: The service requests a restart after installation of the apps. Restarts were conducted after the installation as well as after configuration of the data input.

@xpac: As mentioned, I'm using my firewall to send syslogs (UDP/514) . These transactions have already been confirmed successful when entering the above queries.

Tags (1)
0 Karma

ptang_splunk
Splunk Employee
Splunk Employee

Hi splunknvi,

First: It would be good to know how is your Splunk architecture, especially how are you feeding the Syslog to Splunk.
Are you simply using a standalone instance that does both the Search Head and Indexer? From your post, I would assume it is.
(The reason behind that question is to figure where is your parsing phase (Heavy Forwarder or Indexer), thus the Technical Add-on (TA) will need to be installed on that specific instance as well.)

  • Since you are able to search sourcetype="cisco:ios" or source="udp:514", verify if the fields are being extracted accordingly.

Installation matrix:

  • Install TA on the Search Head and Heavy Forwarder or Indexers (depending on your data flow)
  • Install the App on the Search Head only

Second: Syslog event format and data flow - it could be possible the events being received are not in the appropriate format expected by the TA. Feel free to share a raw event and obfuscate any confidential information and/or share us your data flow (ie: Syslog-ng server with UF --> IX).

Third: The next thing I would ask is: where is your data being indexed - which index? If you used a custom index (ie: index=cisco_ios), make sure the index is part of your "Indexes searched by default" in your user role. ( Settings > Access Controls > Roles > your_current_role > Indexes searched by default ). By default, Splunk will make the main index searched by default if an index is not specified in your SPL search.

  • Example - This SPL search will only search inside the default searched indexes (default: index=main): eventtype=cisco_ios

Fourth: Edit the cisco_ios_index macro (default: index=ios) to include your index where the data resides. ie: index=ios OR index=your_index


Anyhow, let us know what you figured or require further assistance.

Regards,

Philippe

0 Karma

xpac
SplunkTrust
SplunkTrust

Stupid question: Did you direct your Syslog on those devices to the IP of your Splunk instance?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Have your restarted Splunk since you finished step 3? (I have NO idea why this would be required, but it's worth a shot. 🙂 )

There are a couple of things in the app that might cause this -

First, it uses data models for most of the stuff I can see. If those aren't working right for some reason that could cause this.

The rest of the searches also use eventtype=cisco_ios-routing or similar in their search. When you run a search like sourcetype="cisco:ios" | stats count by eventtype, sourcetype what sorts of combinations do you get?

0 Karma

davebo1896
Communicator

How is the event type 'cisco_ios-routing' defined? I don't see it in the app.

0 Karma

davebo1896
Communicator

Ah, it is in TA-cisco_ios

0 Karma

xpac
SplunkTrust
SplunkTrust

Yeah, try that search @rich7177 posted, it might help you figure out the problem. 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...