Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cisco IPS addon issues

stuckeysnewband
New Member
‎11-03-2010 01:59 PM

Good Day, I have installed the IPS addon to the Cisco Security, but am not generating any information. I tried executing the search index="_internal" sourcetype="sdee_connection" to troubleshoot, but did not receive any hits back. My inputs.conf file looks right. I am sure I have missed something, but am not sure where to go from here.

Thanks!

Tags (2)
0 Karma
Reply

pstamati
Path Finder
‎08-24-2011 08:17 AM

Hi, i have the same problem. I installed Cisco IPS add-no in my splunk (windows) but any event is shown.
No sdee_connection.log file exists nor .run file either.
Any Idea?

0 Karma
Reply

Will_Hayes
Splunk Employee
Splunk Employee
‎12-15-2010 07:03 PM

Hi, Two things to check.

in $SPLUNK_HOME/var/log/splunk you should see sdee_connection.log Can you paste the contents of that log.

Also, do you see a .run file in $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run ?

0 Karma
Reply

Mick
Splunk Employee
Splunk Employee
‎11-03-2010 03:44 PM

Can you paste in your inputs.conf please?

A lack of data from that particular sourcetype tells that no data with that sourcetype is being indexed, which may suggest that the app isn't enabled correctly or that the script isn't firing as it should. There's likely some events in splunkd.log that will point you in the right direction, such as a script error. Another possibility is that the script isn't firing at all, you may want to enable DEBUG logging on the script processors to get a better view into how/if it's being run. You can do this via the 'System Logging' page in Manager

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...