All Apps and Add-ons

Why am I not getting any data in the Switch Dashboard of the Cisco Networks App for Splunk Enterprise?

splunkfly
New Member

Why I'm I not getting any data in Switch Dashboard in Cisco Networks App in Splunk. I see some visual data only in Cisco Networks Overview. Apart from Networks Overview, I cannot see any data anywhere in the app such as Audit, switching, Routing, security, performance, wireless, etc.

The method I used to here as below;
1. Wlc, and cisco switch log files are routed to syslog-ng server. and I installed Splunk Universal-forwarder on top of it.
2. Authorized forwarder to connect to splunk server:
sudo /opt/splunkforwarder/bin/splunk add forward-server splunkserverip:port -auth admin:changeme
3. added the directory for the monitoring:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/switches/

Please help me with your response to complete the task of utilizing the all the options of Cisco networks app.

0 Karma

mikaelbje
Motivator

Sourcetype must be "cisco:ios" or "syslog".

In Splunk the sourcetype plays an important role. It is the main way of categorizing similar events. All apps rely on specific sourcetypes. It's mentioned in the documentation.

0 Karma

mikaelbje
Motivator

See the Help page in the app for all the parameters you need to set on your devices.

Be sure to set the following as well

logging trap informational

to enable sending all types of logs

You need a high velocity of logs and lots of devices, and most importantly your devices actually have to send the types of logs that are relevant for this use case.

0 Karma

splunkfly
New Member

Thanks for your response. I'm getting all the logs into my syslog server. I have no problem with logs. My question is that, I'm able to see the received logs data visually only in Cisco Networks Overview tab in the Cisco networks app in the splunk. Apart from Networks Overview option in the app, I cannot see the data in other options of the app such as Audit, switching, Routing, security, performance, wireless, etc.

0 Karma

mikaelbje
Motivator

Make sure your user searches whatever index your Cisco logs are in by default. Check your role settings.

0 Karma

splunkfly
New Member

I checked my role, I' have all the privileges to read , write and execute as an administrator. I'm able to search the the search box, the data is flowing. but I want to see that data in the networking app.
I reconfigured again today,
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/switches -index Cisco_switches_index -sourcetype Cisco_logs .

What else should I configure more.

0 Karma

mikaelbje
Motivator

Why did you set sourcetype as Cisco_logs when the app expects sourcetype to be cisco:ios ?

You're saying that you can see the data in the search app. What is the search string you're using? If it includes an index=whatever that means you need to change your role to search that index BY DEFAULT in role settings.

0 Karma

splunkfly
New Member

Whey I use the log path as below;
source="/var/log/switches/switch1.log" sourcetype=switch-too_small host=syslog_splunk

but splunk shows the sourcetype=switch-too_small and host=syslog_splunk

syslog_splunk is log server host name. and I see sourcetype is automatically generated I never mentioned "switch-too_small".

Do you want me to change the source type to be Cisco: ios?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...