Cisco IOS and TA not showing data in dashboards

morphis72 · ‎10-11-2019

I have a distributed environment:
Splunk Enterprise 7.2.4
All infrastructure is RHEL 7.x
Search head cluster (5 search heads)
Multisite Index cluster (20 indexers)
Cisco devices -sending data to--> rsyslog server --> UF collects logs and sends to --> Index cluster (sourcetype=syslog)

I have installed the cisco_ios app on my search head cluster
I have installed the TA-cisco_ios add-on on my search heads and on my indexers
sourcetype = syslog
index = something_that_meets_my_naming_standards

From what I'm reading in the docs it doesn't look like I need to change anything in the TA or the App to include my custom index name. The data is tagged as syslog and I can search the logs within my index but the Cisco dashboards don't find anything.

What am I missing here?

mbjerkeland_spl · ‎10-11-2019

There is a base eventtype you can adapt in the app. I believe it is the first one in eventtypes.conf. Just add your index name to that macro.

A different approach would be to change your roles to automatically search that index by default.

morphis72 · ‎10-14-2019

Here are the first few stanzas in eventyptes.conf. Do I add index=myindexname to each stanza in the file or to a specific one?

 [cisco_ios-acl_log]

[cisco_ios-duplex_mismatch]
search = eventtype=cisco_ios mnemonic=DUPLEX_MISMATCH OR (facility=LWAPP mnemonic=AP_DUPLEX_MISMATCH)

[cisco_ios-native_vlan_mismatch]
search = eventtype=cisco_ios mnemonic=NATIVE_VLAN_MISMATCH

[cisco_ios-port_down]

[cisco_ios-port_up]

[cisco_ios-if_attached]
search = eventtype=cisco_ios facility=VIM mnemonic=IF_ATTACHED

[cisco_ios-stackmgr]
search = eventtype=cisco_ios facility=STACKMGR

mbjerkeland_spl · ‎10-14-2019

Add the index name as index=something to the stanza called cisco_ios

You will see that one referenced in the other stanzas

morphis72 · ‎10-14-2019

Do I need to make any changes to the app? I don't see an eventtype.conf in the companion app but I do see a macro. In macro.conf would I set the index below?

[cisco_ios_index]
definition = (index=*)

[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor($seconds$/24/3600) | eval sec2time_hours=floor(($seconds$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor(($seconds$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor($seconds$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" $output_field$
iseval = 0

[normalize-int(3)]
args = int_prefix_long,int_suffix,output_field
definition = eval $output_field$=$int_prefix_long$+$int_suffix$
iseval = 0

## Calling these requires the commercial "TA-cisco_ios-multi_tenancy" add-on
## BEGIN
[check_multi_tenancy]
iseval = 0
definition = rest splunk_server=local /services/apps/local/ | search title=TA-cisco_ios-multi_tenancy disabled=0

[get_tenants_for_user_role(1)]
args=user
definition = inputlookup cisco_ios_tenants | stats values(index) AS index BY tenant_name,roles | eval index=mvjoin(index,",") | eval index=replace(index,","," OR index=") | eval index="index=" + index | search [| rest splunk_server=local /services/authentication/users/$user$ | fields roles]
iseval = 0
## END

richgalloway · ‎10-11-2019

Edit the dashboards to see what index they are looking for. Change them to use your index.

---
If this reply helps you, Karma would be appreciated.

morphis72 · ‎10-11-2019

I searched the whole app recursive and couldn’t find an index=

Also don’t see a macro that it might be referring to.

Cisco IOS and TA not showing data in dashboards

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes