Re: How do I install the Cisco MARS Archive add-on...

Will_Hayes · ‎06-06-2010

How do I install and configure the Cisco MARS archive add-on on Splunkbase?

Will_Hayes · ‎06-09-2010

Sorry about that! link: http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+MARS+Archive+Add-on

williamche · ‎06-07-2010

Will,

I can't find any reference to a Cisco MARS Archive add-on in Splunkbase. Where I can I get this app?

Will_Hayes · ‎06-06-2010

To install this add-on, unpack this file into $SPLUNK_HOME/etc/apps and restart.

http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+MARS+Archive+Add-on

Configure your MARS instance schedule an export of the raw message archive logs into a directory accessible by the Splunk Server.

Once the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory instructions on how to configure a data input can be found here: http://www.splunk.com/base/Documentation/latest/Admin/WhatSplunkCanMonitor

When configuring the data input you will need to select manual and set cisco_mars_rm.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license. To change the schedule you can edit the following search under the manager:

Cisco MARS Archive - IPS - DataCube

How do I install the Cisco MARS Archive add-on?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation