Solved: Need to display more data: Model, Serial, CDP, etc

ptysupport · ‎11-06-2014

Hello, firstly let me say thanks for making such a great app available.

I've setup "Technology Add-On for Cisco IOS" and "Cisco IOS" on a test server. I get data on UDP 514, and it is collecting events from devices. However, I'm not able to get information such as device models, serials, CDP, etc. How do I configure this app in order to get those parameters populated.

TIA

mikaelbje · ‎11-06-2014

Hi!

Thanks for your feedback. The best way to thank me is to give the apps a rating on apps.splunk.com 🙂

Currently the app supports receiving data from two sources:

Syslog (log events)
Smart Call Home (Inventory: Model, serial, software version, sitte ID, hostname)

It does not support getting CDP info as this is info you normally need to get through SNMP, however if you have Nexus devices, discovered CDP neighbors are in fact logged as syslog events, but this only happens when they are connected, so you won't get any data from already connected devices. The traditional Catalyst series don't log discovered CDP neighbors.

I am currently working on a Splunk App for Cisco Prime Infrastructure as well, and this will support getting extended device information from devices as well as details about their interfaces, CDP/LLDP neighbors etc. This app will fit together with the Cisco IOS app. It will also support getting the same kind of information from other device types in Cisco Prime Infrastructure such as ASAs.

I do not have an ETA on the Cisco Prime Infrastructure app yet, but you can get some device info from your devices by doing the following:

1.1. Add a new TCP data input on a port of your choice, set sourcetype to Cisco:SmartCallHome
Make sure this input resolves hostnames if your UDP 514 input also resolves hostnames as the hostname/IP is what we use to join the data sources.

1.2. On your Cisco devices:

service call-home

call-home

contact-email-addr YOUR.EMAIL@ADDR.ESS

site-id "YOUR_SITE_NAME"

profile "Splunk"

destination transport-method http

destination address http http://SPLUNK.SERVER.IP:TCP_PORT_FROM_1.2
subscribe-to-alert-group diagnostic severity debug

subscribe-to-alert-group environment severity debug

subscribe-to-alert-group inventory

subscribe-to-alert-group inventory periodic daily 22:30

You need a fairly recent IOS version for Smart Call Home support. Also note that Catalyst 2960 series and below are not able to schedule Call Home events, so you will not get daily updates for these switches.
If you need to send Smart Call Home events from a specific source interface on your switch you will also need:

ip http client source-interface InterfaceName1

If you want to send a Smart Call Home event immediately, issue the following on your switch:

call-home send alert-group inventory

To check if the events were received, issue a search for sourcetype=Cisco:SmartCallHome

Let me know how it goes 🙂 I will make some refinements to the app in the near future to make this work even better.

View solution in original post

Skodovec · ‎03-02-2015

Unable to display information from the SFP module as Tx power and temperature on Cisco 4948
Call-home got activated.
please help
thank you

mikaelbje · ‎03-02-2015

Hi Skodovec,

The transceiver power and temperature panels in the dashboard do not require call-home.
You need a DOM compatible SFP and the SFP temp/power has to go above or below its threshold value before you see anything in this dashboard.

You will see a graph in those panels if you receive an event with



sourcetype=cisco:ios facility=SFF8472 mnemonic=THRESHOLD_VIOLATION

There are a few examples here: https://supportforums.cisco.com/discussion/11558006/cat-4500-showing-error-sff8472-5-thresholdviolat...

The app does not poll the device for any data which means it doesn't display any values if your device hasn't logged them.

TaylorWhitt · ‎11-07-2014

Something else you could do is use event neighbor discovery, as part of the Embedded Event Manager (EEM).

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_06.html#wp1181238

Sorry I can't elaborate, I haven't used it personally, but apparently you can do quite a bit with it.

mikaelbje · ‎11-07-2014

Yep, EEM is an option, but not supported on all models. For 3750 at least you need the IP base license. 2960 is a no go.

mikaelbje · ‎11-06-2014

Hi!

Thanks for your feedback. The best way to thank me is to give the apps a rating on apps.splunk.com 🙂

Currently the app supports receiving data from two sources:

Syslog (log events)
Smart Call Home (Inventory: Model, serial, software version, sitte ID, hostname)

It does not support getting CDP info as this is info you normally need to get through SNMP, however if you have Nexus devices, discovered CDP neighbors are in fact logged as syslog events, but this only happens when they are connected, so you won't get any data from already connected devices. The traditional Catalyst series don't log discovered CDP neighbors.

I am currently working on a Splunk App for Cisco Prime Infrastructure as well, and this will support getting extended device information from devices as well as details about their interfaces, CDP/LLDP neighbors etc. This app will fit together with the Cisco IOS app. It will also support getting the same kind of information from other device types in Cisco Prime Infrastructure such as ASAs.

I do not have an ETA on the Cisco Prime Infrastructure app yet, but you can get some device info from your devices by doing the following:

1.1. Add a new TCP data input on a port of your choice, set sourcetype to Cisco:SmartCallHome
Make sure this input resolves hostnames if your UDP 514 input also resolves hostnames as the hostname/IP is what we use to join the data sources.

1.2. On your Cisco devices:

service call-home

call-home

contact-email-addr YOUR.EMAIL@ADDR.ESS

site-id "YOUR_SITE_NAME"

profile "Splunk"

destination transport-method http

destination address http http://SPLUNK.SERVER.IP:TCP_PORT_FROM_1.2
subscribe-to-alert-group diagnostic severity debug

subscribe-to-alert-group environment severity debug

subscribe-to-alert-group inventory

subscribe-to-alert-group inventory periodic daily 22:30

You need a fairly recent IOS version for Smart Call Home support. Also note that Catalyst 2960 series and below are not able to schedule Call Home events, so you will not get daily updates for these switches.
If you need to send Smart Call Home events from a specific source interface on your switch you will also need:

ip http client source-interface InterfaceName1

If you want to send a Smart Call Home event immediately, issue the following on your switch:

call-home send alert-group inventory

To check if the events were received, issue a search for sourcetype=Cisco:SmartCallHome

Let me know how it goes 🙂 I will make some refinements to the app in the near future to make this work even better.

satishsdange · ‎03-03-2015

Hi @mikaelbje - What if we run "show cdp neighbor" on Cisco network appliance & capture it using scripted inputs. This is what we are doing in Cisco Nexus 9K.

mikaelbje · ‎03-03-2015

Sure, that works. However a standardized way to capture the format of the scripted inputs needs to be defined if I'd add support for this in the app. Not all users want their Splunk servers to poll their devices.

mikev · ‎05-12-2017

Any further progress on Cisco Prime? I have a client that has a vary large Prime install base. The current TA when set to sourcetype=cisco:ios doesn't resolve much, while I do get more fields that when set to syslog, I'm grasping at straws on what I should be extracting.

bsafrit · ‎11-20-2014

Great to hear that you are working on a Cisco Prime Infrastructure app.

Need to display more data: Model, Serial, CDP, etc

1.2. On your Cisco devices:

subscribe-to-alert-group inventory periodic daily 22:30

1.2. On your Cisco devices:

subscribe-to-alert-group inventory periodic daily 22:30

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes