Getting Data In

Unable to view Nexus data in main dashboard of Cisco Networks App

shamscw
Engager

alt text

Hi there,

I've just recently installed the 'Cisco Networks' app https://splunkbase.splunk.com/app/1352/

However in the main dashboard or 'cisco networks overview' for product there is only an option for ios, wlc, ap. In the switching tab/dashboard there doesn't seem to be anything displayed for the nexus switches.

The only way I can see data from the nexus switch is in 'search' (attached) via an IP address

In the data input section in settings, I've put in the UDP port it would be received on, and the source type as 'cisco_syslog' as there didn't seem to be an option for nx-os or nexus.

Have I missed out a setting/configuration?

Thanks
Shams

0 Karma
1 Solution

mikaelbje
Motivator

Hi,

since the post is awaiting moderation I have to post this as a comment, not an answer. Feel free to change this to an answer and accept.

You need to set the sourcetype of your data to "cisco:ios" OR "syslog". You will also need the Cisco Networks Add-on on your indexers and search head as described in the documentation.

"cisco:ios" is faster since Splunk won't need to rewrite the sourcetype based on a transform. Consider "syslog" a last resort.

As soon as this is corrected you will see your data in the Cisco Networks app. If you still don't see data you will need to make whatever index the data is stored in searched by default. This is done in Access Controls -> Roles in Splunk

View solution in original post

maikhahn
New Member

Hi,
we have the same issue and our Splunk admin followed the rules
but nevertheless all is seen as cisco:ios no difference for ios-xe or nx-os

    splunk@xxx % tail -5 props.conf
    [CC:syslog]
    TRANSFORMS-force_sourcetypes_cc = force_sourcetype_cisco_asa, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
    SHOULD_LINEMERGE = false
    KV_MODE = none
    TZ = UTC

So any clue what's wrong ?
We had also updated App and Add-on to 2.5.8

Do I have to ask a new question or does this still fit to this post ?

0 Karma

mikaelbje
Motivator

Hi,

since the post is awaiting moderation I have to post this as a comment, not an answer. Feel free to change this to an answer and accept.

You need to set the sourcetype of your data to "cisco:ios" OR "syslog". You will also need the Cisco Networks Add-on on your indexers and search head as described in the documentation.

"cisco:ios" is faster since Splunk won't need to rewrite the sourcetype based on a transform. Consider "syslog" a last resort.

As soon as this is corrected you will see your data in the Cisco Networks app. If you still don't see data you will need to make whatever index the data is stored in searched by default. This is done in Access Controls -> Roles in Splunk

shamscw
Engager

Excellent thanks! that works! I got the 'add-on' and change the source type and now I can see events in the main dashboard. Thankyou

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...