All Apps and Add-ons

Cisco App has stopped working after a recent "upgrade"

DBattisto
Communicator

I recently changed some things around our Splunk instance at the request of my customer. On our production system, there were no issues. But when I went back to clean up the lab side, I noticed that the Cisco App stopped working.

On the main page, it only displays port flapping, but nothing else. When I go manually search for sourcetype="cisco:ios", I get thousands of results.

The only thing that I changed was splitting up which port our switches and routers send syslogs to. Again, they appear to be indexing properly and are getting tagged as 'cisco:ios'.

Any suggestions? Thanks!

Edit: One year later (almost to the day), I encountered the same issue but had a different cause/solution. I have the TA-Cisco-ios and Splunk_TA_nix running on my searchhead. The incoming Cisco events were being tagged with the eventtype 'nix-all-logs' due to a configuration in Splunk_TA_nix. To fix this issue, I had to create a local copy of 'eventtypes.conf' for Splunk_TA_nix and specify that several of the *nix eventtypes should only be drawn from the linux index. It fixed my issues, my Cisco events were tagged properly, and the app worked again.

0 Karma
1 Solution

vinod94
Contributor

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

View solution in original post

vinod94
Contributor

Hi @DBattisto ,

it should be der,

please see the image for the reference,

alt text

DBattisto
Communicator

Upgraded to 7.2.4 and saw it. Now it works again. Thank you!!

0 Karma

vinod94
Contributor

Glad it worked for you 🙂

0 Karma

vinod94
Contributor

have you tried rebuilding data model?

DBattisto
Communicator

Thanks for the suggestion! I'm afraid I'm not familiar with that process. Do you have a good link to follow? This is what I've found on data models, and am not sure if this is what you're referring to:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Managedatamodels

0 Karma

vinod94
Contributor

Hi mate,

You can go to settings>under Knowledge - Data models . Search for Cisco_ios_event. Expand (>)and you will see an update and rebuild option.

If it still doesn't work, you can try this - try mentioning the index name(your index) if its not present in the eventtypes and macros.

DBattisto
Communicator

Late reply: I did not see the 'update and rebuild' option. The problem is still occurring, but I have not had time to troubleshoot much.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...