Running Splunk Cloud v 7.0.13.
Cisco ACI App installed on Splunk Cloud V 4.0.1
I installed the Cisco ACI Add on to an existing heavy fowarder (which is already forwarding data to our cloud instance) and , based on the splund.log, it looks like it is communicating with the ACI devices just fine.
I do not see any cisco data hitting our cloud instance. I've been looking through the Splunk FAQs for some tips on where to look to troubleshoot this.
I have verified the following:
1. Cisco ACI add on scripts are all enabled on the forwarder
2. splunkd. log (on the forwarder) indicates it is connecting and communicating with the Cisco device.
Looking for suggestions on how to troubleshoot this.
Thanks!
Jon
Ok, final update.
The bottom line was the settings in the eventtypes.conf file needed to be manually added to our Splunk Cloud search head.
after that is done...it works fine.
So if you are running a distributed Splunk configuration...make sure you either copy over the eventtypes.conf from the add-ons ./default directory or manually add them (there were only 5 eventtypes ACI add-on)
Ok, final update.
The bottom line was the settings in the eventtypes.conf file needed to be manually added to our Splunk Cloud search head.
after that is done...it works fine.
So if you are running a distributed Splunk configuration...make sure you either copy over the eventtypes.conf from the add-ons ./default directory or manually add them (there were only 5 eventtypes ACI add-on)
Another update:
I think the data is all there, but the Cisco APP is checking the following in order to populate the dropdown list of APIC Hosts:
eventtype="cisco_apic_*" component=credentials | fields apic_host | dedup apic_host | SORT apic_host
However there is no eventtype with "cisco*".
There is a
sourcetype="cisco:apic:*"
In fact, if i change the search on the dropdown as follows
Change: eventtype="cisco_apic_"
To: sourcetype="cisco:apic:"
it works fine.
I wonder if there is a conflict with the version of the Cisco ACI APP running on our search head, and the Cisco ACI Add-on running on the forwarder?
Ok, i do see data coming in from the forwarder. it is being added to the main index. I'm assuming that I also need to add the "apic" index on the forwarder as well ?
I added the index 'apic' to Splunk Cloud. I've been checking for data found in the 'apic' index but nothing so far. I verified the forwarder is up and running.
Is there anything I can check on the forwarder to see if it's even attempting to forward the ACI data to the Cloud? I know that it is forwarding other data to the cloud with no issues.
I'll keep digging...
Did you create the index(s) needed by the add-on?
Thats probably the issue. The app had been installed on Splunk cloud a while ago by someone else and I don't see an index named 'apic'.
I will add it and test.
I'll reply with the results.
Thanks!
Jon