All Apps and Add-ons

After upgrading the Cisco Networks App and Add-on for Splunk Enterprise to 2.3.0, why are panels showing "No results found" or lookup errors?

nychawk
Communicator

Hello;

I've recently upgraded Cisco Networks App for Splunk Enterprise to cisco_ios 2.3.0, shortly followed by an upgrade to the TA on my Universal Forwarder and Indexers to TA-cisco_ios 2.3.0.

My UF has its inputs.conf configured as:

[monitor:///syslog-data/ios.log]
sourcetype=syslog

BTW, I've also tried setting this to "sourcetype=cisco:ios".

Where before I was receiving data inside of the app, now I am seeing "No results found." for each panel, except for "Diagnostic messages", where I am now seeing 'Error in '*lookup' command: The lookup table 'cisco_ios_severity' does not exist.*'.

I've gone through the install setup for the add-on again, and am not able to determine why I am not seeing data.

I've confirmed that my syslog file is from valid IOS devices. By the way, all of my devices are currently writing to the same file, and have always done so.

Any suggestions?

-mi

0 Karma
1 Solution

mikaelbje
Motivator

Hi!

  1. What Splunk version are you running?
  2. You did not specify that you upgraded TA-cisco_ios to 2.3.0 on your SEARCH HEAD. Did you do this?
  3. Could you post some samples from your ios.log?
  4. Could you try deleting the app and add-on from your servers and then reinstalling them?

Regards,
Mikael

View solution in original post

mikaelbje
Motivator

Hi!

  1. What Splunk version are you running?
  2. You did not specify that you upgraded TA-cisco_ios to 2.3.0 on your SEARCH HEAD. Did you do this?
  3. Could you post some samples from your ios.log?
  4. Could you try deleting the app and add-on from your servers and then reinstalling them?

Regards,
Mikael

nychawk
Communicator

Hi Mikael;

Thank you for your response, I don't recall adding the TA to my search head, but I just installed it; my results are much better, thank you!

On another topic, how do I populate information like site, software versions, model, etc?

By the way, awesome app, thank you!

-mi

0 Karma

mikaelbje
Motivator

Glad you sorted it out.

The Inventory stuff is populated by Smart Call Home. See the Help page 🙂 It only works for 3000 series and up, not 2960s.

0 Karma

nychawk
Communicator

Is extracting this information via SNMP on your roadmap?

Kind regards,

-mi

0 Karma

mikaelbje
Motivator

No, not currently. My best suggestion is to get this data from a third party solution such as a CMDB. That way you're able to get inventory details for other assets in your organization too.

0 Karma

nychawk
Communicator

I will try to populate it using Qualys...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...