All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Firewall Add-on - No Data

ahammond
Explorer
‎03-14-2012 10:02 AM

I have installed both Cisco Security Suite and Cisco Firewall Add-On, I have UDP port excepting syslogs from an ASA with a souretype of cisco_firewall. I can view realtime data in Security Suite but the Cisco Firewall shows no results when I select Overview or Real Ti9me Dashboard.

The Overview inspect shows:

This search has completed and found 362 matching events. However, the transforming commands in the highlighted portion of the following search:

search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

over the time range:

3/14/12 3:00:00.000 AM – 3/14/12 3:00:00.000 PM

generated no results.

However if I select a time from the drop down or change the search to search eventtype="ciscofirewall" | bin _time span=5m results are disaplayed?

0 Karma
Reply

MarioM
Motivator
‎03-14-2012 10:23 AM

sourcetype actually should be cisco_asa.

cisco_firewall is the eventtype search for %ASA OR %PIX OR %FWSM

sourcetype=cisco_firewall is only use for events pre-indexed as cisco_firewall sourcetype. Back-support community version <= 4.1.4

And by default the app should apply a sourcetype then there is no need to set a sourcetype.

But it might not be the reason of your issue.

0 Karma
Reply

ahammond
Explorer
‎03-15-2012 08:34 AM

App setup wizard was used to create UDP Data Input and it did so with sourcetype blank. No results showed in suite or add on. I changed the data inputs source type to cisco_asa first so I have some data indexed this way but no results showed again, it was only after I changed source type to cisco_firewall that results showed. Also inspects show all failed searches are by event type but no event types exist in manager interface.

inspect examples
search eventtype="cisco_firewall" | bin _time span=5m
search eventtype=cisco_ips gc_score<0 | lookup geoip clientip as src_ip | bin _time span=5m

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...