I completed a fairly large project aimed at onboarding Cisco Prime data into Splunk. There are a few options we discovered (some a lot better than others) and a few lessons we learned along the way, mostly related to the nature of the data that Cisco Prime sends out of the system. For example, one of the syslog-style feeds (maybe the only one) is for this normalized data type that Prime maintains called "Events" which as near as I could tell, were a combination of Prime alarms/alerts, regular syslog messages, and certain SNMP traps.
The focus of our project was mostly related to Cisco Wireless telementry to instrument performance, availability, fault tolerance, and end user experience/activity. In the end, we leveraged the Cisco Prime API, which I strongly encourage you to do as well (for at least part of your solution). The API allows quite a bit more flexibility and control on what you retrieve in addition to allowing for the opportunity to transform the output using a Splunk scripted input prior to indexing. This can be good for search optimization and/or controlling license consumption. The data format comes back as XML by default, but you can optionally request results in JSON.
This link is for the Cisco Prime API reference doc - just use the version that matches your Prime installation.
... View more