Perhaps it needs the userid, password, and the ip address of the IPS to the script?
The Cisco IPS add-on can be downloaded, installed, and a connection made to your Cisco IPS sensor(s) by either using the Splunk app setup screen or by manually installing and configuring the add-on. Instructions for both methods are described.
+++ Automated setup using the add-on setup +++
The automated setup is designed to walk you through the configuration of the Cisco IPS add-on once the add-on is installed on your Splunk deployment. The setup screen can be accessed in one of the following ways:
Click the "Setup" button on the add-on from within the Splunk Home page.
Click the Welcome > Add data > Cisco device logs
Click Manager > Apps > Cisco IPS > "Set up"
The setup of the app will require the IP Address or hostname of the sensor you wish to configure and the username/password that will be used to connect to the sensor and pull the data. You also have an option to specify a local file source input for the data. Once the desired configuration options are selected, click the "Save" button. The setup program will create and/or update the inputs.conf file to include the desired input configuration.
+++ Manual setup and configuration +++
Open the inputs.conf file located at $SPLUNKHOME/etc/apps/SplunkCiscoIPS/local/inputs.conf
Modify the inputs.conf file to include the following stanza for each IPS sensor that needs to be configured
Splunk requires a restart before the scripted input will take effect.
This add-on has been renamed from previous versions (namely "addon" has been removed). Optionally you may choose to manually remove the "ciscoips_addon" add-on from the file system. If any changes exist in local they will need to be manually migrated over to this add-on.