Good Day, I have installed the IPS addon to the Cisco Security, but am not generating any information. I tried executing the search index="_internal" sourcetype="sdee_connection" to troubleshoot, but did not receive any hits back. My inputs.conf file looks right. I am sure I have missed something, but am not sure where to go from here.
Hi, Two things to check.
in $SPLUNK_HOME/var/log/splunk you should see sdee_connection.log Can you paste the contents of that log.
Also, do you see a .run file in $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run ?
Can you paste in your inputs.conf please?
A lack of data from that particular sourcetype tells that no data with that sourcetype is being indexed, which may suggest that the app isn't enabled correctly or that the script isn't firing as it should. There's likely some events in
splunkd.log that will point you in the right direction, such as a script error. Another possibility is that the script isn't firing at all, you may want to enable DEBUG logging on the script processors to get a better view into how/if it's being run. You can do this via the 'System Logging' page in Manager