I have installed the latest Add-on and Cisco Network App for Splunk Enterprise, but many of the dashboards don't work anymore and displays the following message "No Search Query Provided", when I check the dashboards, the search string is in fact empty.
Running Splunk 6.2
Damn, Cisco! They seem to keep changing the format of the IOS XR logs between software versions.
I just made an update to correct your case. Could you try to get the latest TA-cisco_ios from https://github.com/inspired/TA-cisco_ios
Remember to upgrade both search heads and indexers with the latest TA-cisco_ios.
You do not need to upgrade cisco_ios.
Let me know if this fixes your issue and please mark as Answered if it does 🙂
Hi Mikael,
This did solve it partly, it seems the regex still does not catch all the cisco:ios messages from these XR routers... they are marked as syslog.
Maybe I can send you more examples of the syslog as it comes from the routers?
Regards,
Marius
Sure, send more samples 🙂 In fact, try to use the Issues thing on github for TA-cisco_ios to submit the samples and a short description. Makes it easier for me to keep track
Hi!
Hi sorry for the late reply
A complete delete and re-install was done initially. I was mistaken my Splunk version is 6.1.3. It is a distributed environment and the TA package was installed in the indexers as per instructions.
The reason for the upgrade is that our XR routers Syslog does not get marked as cisco:ios and I thought this would fix that. The syslog format looks like this.
Oct 9 09:59:46 10.117.0.147 85915: za-mid-mtb-msr01 RP/0/RSP0/CPU0:Oct 9 09:59:46.271 : exec[65908]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'argus' from '10.117.1.18' on 'vty3'
I will upgrade to 6.2 if required to get the XR syslog to work as certain dashboards we built depend on this.
Regards,
Marius
See my answer below 🙂