To install this add-on, unpack this file into $SPLUNK_HOME/etc/apps and restart.
http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+MARS+Archive+Add-on
Configure your MARS instance schedule an export of the raw message archive logs into a directory accessible by the Splunk Server.
Once the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory instructions on how to configure a data input can be found here:
http://www.splunk.com/base/Documentation/latest/Admin/WhatSplunkCanMonitor
When configuring the data input you will need to select manual and set cisco_mars_rm.
There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.
To change the schedule you can edit the following search under the manager:
Cisco MARS Archive - IPS - DataCube
