Hi splunknvi,
First: It would be good to know how is your Splunk architecture, especially how are you feeding the Syslog to Splunk.
Are you simply using a standalone instance that does both the Search Head and Indexer? From your post, I would assume it is.
(The reason behind that question is to figure where is your parsing phase (Heavy Forwarder or Indexer), thus the Technical Add-on (TA) will need to be installed on that specific instance as well.)
Since you are able to search sourcetype="cisco:ios" or source="udp:514" , verify if the fields are being extracted accordingly.
Installation matrix:
Install TA on the Search Head and Heavy Forwarder or Indexers (depending on your data flow)
Install the App on the Search Head only
Second: Syslog event format and data flow - it could be possible the events being received are not in the appropriate format expected by the TA. Feel free to share a raw event and obfuscate any confidential information and/or share us your data flow (ie: Syslog-ng server with UF --> IX).
Third: The next thing I would ask is: where is your data being indexed - which index? If you used a custom index (ie: index=cisco_ios), make sure the index is part of your "Indexes searched by default" in your user role. ( Settings > Access Controls > Roles > your_current_role > Indexes searched by default ). By default, Splunk will make the main index searched by default if an index is not specified in your SPL search.
Example - This SPL search will only search inside the default searched indexes (default: index=main ):
eventtype=cisco_ios
Fourth: Edit the cisco_ios_index macro (default: index=ios ) to include your index where the data resides. ie: index=ios OR index=your_index
Anyhow, let us know what you figured or require further assistance.
Regards,
Philippe
... View more
