Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to view Nexus data in main dashboard of Cisco Networks App

shamscw
Engager
‎03-23-2017 02:38 AM

alt text

Hi there,

I've just recently installed the 'Cisco Networks' app https://splunkbase.splunk.com/app/1352/

However in the main dashboard or 'cisco networks overview' for product there is only an option for ios, wlc, ap. In the switching tab/dashboard there doesn't seem to be anything displayed for the nexus switches.

The only way I can see data from the nexus switch is in 'search' (attached) via an IP address

In the data input section in settings, I've put in the UDP port it would be received on, and the source type as 'cisco_syslog' as there didn't seem to be an option for nx-os or nexus.

Have I missed out a setting/configuration?

Thanks
Shams

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎03-23-2017 03:34 AM

Hi,

since the post is awaiting moderation I have to post this as a comment, not an answer. Feel free to change this to an answer and accept.

You need to set the sourcetype of your data to "cisco:ios" OR "syslog". You will also need the Cisco Networks Add-on on your indexers and search head as described in the documentation.

"cisco:ios" is faster since Splunk won't need to rewrite the sourcetype based on a transform. Consider "syslog" a last resort.

As soon as this is corrected you will see your data in the Cisco Networks app. If you still don't see data you will need to make whatever index the data is stored in searched by default. This is done in Access Controls -> Roles in Splunk

View solution in original post

Reply
Solved! Jump to solution

maikhahn
New Member
‎07-03-2019 07:12 AM

Hi,
we have the same issue and our Splunk admin followed the rules
but nevertheless all is seen as cisco:ios no difference for ios-xe or nx-os

    splunk@xxx % tail -5 props.conf
    [CC:syslog]
    TRANSFORMS-force_sourcetypes_cc = force_sourcetype_cisco_asa, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
    SHOULD_LINEMERGE = false
    KV_MODE = none
    TZ = UTC

So any clue what's wrong ?
We had also updated App and Add-on to 2.5.8

Do I have to ask a new question or does this still fit to this post ?

0 Karma
Reply
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎03-23-2017 03:34 AM

Hi,

since the post is awaiting moderation I have to post this as a comment, not an answer. Feel free to change this to an answer and accept.

You need to set the sourcetype of your data to "cisco:ios" OR "syslog". You will also need the Cisco Networks Add-on on your indexers and search head as described in the documentation.

"cisco:ios" is faster since Splunk won't need to rewrite the sourcetype based on a transform. Consider "syslog" a last resort.

As soon as this is corrected you will see your data in the Cisco Networks app. If you still don't see data you will need to make whatever index the data is stored in searched by default. This is done in Access Controls -> Roles in Splunk

Reply
Solved! Jump to solution

shamscw
Engager
‎03-23-2017 05:06 AM

Excellent thanks! that works! I got the 'add-on' and change the source type and now I can see events in the main dashboard. Thankyou

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...