All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Troubleshooting syslog data source with source type missing for Meraki-Technology Add-on?

brian1_tate
Path Finder
‎03-07-2018 09:04 AM

Hello all,

I'm having some really odd issues with the TA-Meraki app. It seems I have my data set to directly come in on 514 and can search it in Splunk ES but it is not usable in ESS. From the TA details, using CIM 4.9, It seems I have the tags and event types listed. I cannot search my data by source type even though it does exist as meraki. I have also even tried overriding the source name in the data input but to no luck. I can't see this properly mapping my data if the search fails on source type and furthermore, in data summary - it is not listed for hosts, sources or source types.

What would everyone recommend I check from this point and in order?

Thank you,
BT

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brian1_tate
Path Finder
‎03-16-2018 11:31 AM

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

brian1_tate
Path Finder
‎03-16-2018 11:31 AM

So I ended up looking at what input.conf was actually in the local directory, when there was none listed - it explained what I saw in the data summary. These did exist in the TA under etc/apps and in the default directories but not in the primary local. After adding this and adding the line for ucp 514 along with source and sourcetype to be used, the events magically aligned. I would have thought adding this as an input with these parameters would have added a line and the same information I used to create the input and ensure data was going to the same index but it appears not.

Therefore, the best thing I can recommend for those running into this is to check inputs and props, regardless if it's a single instance and ensure there are settings in the local directories to override any others.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...