Getting Data In

Cisco IOS and TA not showing data in dashboards

morphis72
Path Finder

I have a distributed environment:
Splunk Enterprise 7.2.4
All infrastructure is RHEL 7.x
Search head cluster (5 search heads)
Multisite Index cluster (20 indexers)
Cisco devices -sending data to--> rsyslog server --> UF collects logs and sends to --> Index cluster (sourcetype=syslog)

I have installed the cisco_ios app on my search head cluster
I have installed the TA-cisco_ios add-on on my search heads and on my indexers
sourcetype = syslog
index = something_that_meets_my_naming_standards

From what I'm reading in the docs it doesn't look like I need to change anything in the TA or the App to include my custom index name. The data is tagged as syslog and I can search the logs within my index but the Cisco dashboards don't find anything.

What am I missing here?

Tags (2)
0 Karma

mbjerkeland_spl
Splunk Employee
Splunk Employee

There is a base eventtype you can adapt in the app. I believe it is the first one in eventtypes.conf. Just add your index name to that macro.

A different approach would be to change your roles to automatically search that index by default.

morphis72
Path Finder

Here are the first few stanzas in eventyptes.conf. Do I add index=myindexname to each stanza in the file or to a specific one?

 [cisco_ios-acl_log]

[cisco_ios-duplex_mismatch]
search = eventtype=cisco_ios mnemonic=DUPLEX_MISMATCH OR (facility=LWAPP mnemonic=AP_DUPLEX_MISMATCH)

[cisco_ios-native_vlan_mismatch]
search = eventtype=cisco_ios mnemonic=NATIVE_VLAN_MISMATCH

[cisco_ios-port_down]

[cisco_ios-port_up]

[cisco_ios-if_attached]
search = eventtype=cisco_ios facility=VIM mnemonic=IF_ATTACHED

[cisco_ios-stackmgr]
search = eventtype=cisco_ios facility=STACKMGR
0 Karma

mbjerkeland_spl
Splunk Employee
Splunk Employee

Add the index name as index=something to the stanza called cisco_ios

You will see that one referenced in the other stanzas

0 Karma

morphis72
Path Finder

Do I need to make any changes to the app? I don't see an eventtype.conf in the companion app but I do see a macro. In macro.conf would I set the index below?

[cisco_ios_index]
definition = (index=*)

[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor($seconds$/24/3600) | eval sec2time_hours=floor(($seconds$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor(($seconds$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor($seconds$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" $output_field$
iseval = 0

[normalize-int(3)]
args = int_prefix_long,int_suffix,output_field
definition = eval $output_field$=$int_prefix_long$+$int_suffix$
iseval = 0

## Calling these requires the commercial "TA-cisco_ios-multi_tenancy" add-on
## BEGIN
[check_multi_tenancy]
iseval = 0
definition = rest splunk_server=local /services/apps/local/ | search title=TA-cisco_ios-multi_tenancy disabled=0

[get_tenants_for_user_role(1)]
args=user
definition = inputlookup cisco_ios_tenants | stats values(index) AS index BY tenant_name,roles | eval index=mvjoin(index,",") | eval index=replace(index,","," OR index=") | eval index="index=" + index | search [| rest splunk_server=local /services/authentication/users/$user$ | fields roles]
iseval = 0
## END
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Edit the dashboards to see what index they are looking for. Change them to use your index.

---
If this reply helps you, Karma would be appreciated.
0 Karma

morphis72
Path Finder

I searched the whole app recursive and couldn’t find an index=

Also don’t see a macro that it might be referring to.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...