All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco IOS app is not showing any data

zoh
Explorer
‎06-01-2014 11:58 PM

I have data coming in sourcertype "syslog" and i have installed Cisco IOS and Technology add-on however i do not see any data in Cisco IOS application. How to troubleshoot the issue?

Sample log:
Jun 2 11:50:06 10.192.2.4 1203936: 4510-Switch: Jun 2 11:51:22.422: %LINK-3-UPDOWN: Interface GigabitEthernet8/3, changed state to up

0 Karma
Reply

dominik13
Engager
‎11-19-2014 05:11 PM

I'm having the a similar issue.

I have configured 2 source types that are receiving Data:
cisco:asa (udp 5514, used for ASA)
cisco_syslog (udp 514, used for the IOS devices)

I selected these from the drop-downs when I created the listeners (I didn't see 'syslog' in the drop-downs when creating the switch source type).

Since the TA is looking for the 'syslog' source-type, what modifications can I make so that it will find the cisco_syslog sourcetype and convert it?

0 Karma
Reply

mikaelbje
Motivator
‎06-11-2014 02:53 AM

Hi,

  1. The Technology Add-On should transform your "syslog" sourcetype to sourcetype "cisco:ios". You need to make sure the technology add-on is installed on the indexer. If you have a combined search head and indexer you install both the TA and the Cisco IOS app on that server. After you install the TA you need to restart the Splunk indexer
  2. The Cisco IOS app searches the "cisco:ios" sourcetype. It will not display any data for the "syslog" sourcetype.

Please post a screenshot of your results searching for that event. Include the "index" and "sourcetype" fields.

For your reference the sample log you posted matches the regex transform in the TA, which means the transform should work as long as the apps are installed as described in the documentation.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...