Perfect. Now is running correctly!!!
Thanks! 😃

So change your user/role to search the ios index by default, then you won't have to specify index=ios
Please remember to vote the answer

Ok,the search index=ios sourcetype=cisco:ios is running correctly. This search showed all devices events.

Ok, so please try the following search:

index=ios sourcetype=cisco:ios

Does that return anything?

I have installed the Technology Add-on. Search using index=* host=HOSTNAME_OF_DEVICE is running correctly, after reboot my server. Using search index=ios are showed the devices. But, using search sourcetype="cisco:ios" is not running.
I have devices with sourcetype="syslog". When disable the APP Cisco IOS, my devices are showed in the search sourcetype="syslog".

Ok, I tested your events against the regex and they match.

Could you please provide a screenshot of the whole search window?
Did you install the Technology Add-On?
Did you make sure your user/role searches in the ios index by default?

Dear, Mikael.
The raw events are below.

Apr 9 17:20:30 192.168.10.251 170: 000145: Apr 9 17:20:34.451 GMT-3: %PARSER-5-CFGLOGLOGGEDCMD: User:admin logged command:shutdown Apr 9 17:20:30 192.168.10.251 169: 000144: Apr 9 17:20:34.447 GMT-3: %PARSER-5-CFGLOGLOGGEDCMD: User:admin logged command:shutdown Apr 9 17:20:24 192.168.10.251 168: 000143: Apr 9 17:20:28.691 GMT-3: %PARSER-5-CFGLOGLOGGEDCMD: User:admin logged command:switchport mode access Apr 9 16:06:58 192.168.10.251 157: 000132: Apr 9 16:07:04.059 GMT-3: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.10.111)

[]'s