All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco Security Suite no results

ttchorz
Path Finder
‎10-07-2015 06:00 AM

Logged into Splunk after night and Cisco Security Suite shows now results. I have not made any changes, I restarted the whole server but it did not help.

My initial investigation included:
1. Searched index=”_internal” – no errors
2. Checked if index dedicated for cisco is receiving data – OK
3. Searched index=”network_cisco” – OK, events are coming up
4. Searched eventtype="cisco-security-events" – no events
5. Searched index="network_cisco" eventtype="cisco-security-events" – OK events are coming up

It is strange that eventtype="cisco-security-events" shows no results but when I run index="network_cisco” I see eventtype cisco-security-events on the left side panel/
Do you have any idea what could have broken Cisco Security Suite app

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-07-2015 08:58 AM

You have 2 ways to resolve this:

  1. Make your network_cisco index searchable by default. You can do this by modifying the Role (Settings -> Access Controls -> Roles). Add your network_cisco index to the indexes searched by default.
  2. Create a folder named local within the Splunk_CiscoSecuritySuite directory. Copy eventtypes.conf from Splunk_CiscoSecuritySuite/default to Splunk_CiscoSecuritySuite/local. Then, modify the local/eventtypes.conf file to include your index in the searches.

The first option is easier and will allow you to do correlation searches easier as you don't have to explicitly specify the index when searching.

View solution in original post

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-07-2015 08:58 AM

You have 2 ways to resolve this:

  1. Make your network_cisco index searchable by default. You can do this by modifying the Role (Settings -> Access Controls -> Roles). Add your network_cisco index to the indexes searched by default.
  2. Create a folder named local within the Splunk_CiscoSecuritySuite directory. Copy eventtypes.conf from Splunk_CiscoSecuritySuite/default to Splunk_CiscoSecuritySuite/local. Then, modify the local/eventtypes.conf file to include your index in the searches.

The first option is easier and will allow you to do correlation searches easier as you don't have to explicitly specify the index when searching.

Reply
Solved! Jump to solution

ttchorz
Path Finder
‎10-07-2015 09:04 AM

THANKS! I used option 1. That was very simple and I couldn't figure this out.

One more question came to my mind, why do I get results for Windows app if the associated index is not added to be searched by default? Is this because Windows App allows you to set the index in local/inputs.conf?

0 Karma
Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎10-07-2015 09:08 AM

A lot of the Windows data is in the main index - which is already searchable by default. Some of the Windows data does write to other indexes though (like perfmon and msad).

0 Karma
Reply
Solved! Jump to solution

ttchorz
Path Finder
‎10-07-2015 09:15 AM

I do not have anything in main now. All of the windows data is being written to indexes such as wineventlog:security etc. but they are not defined in Roles to be searched by default, however the windows App is working fine.

0 Karma
Reply
Solved! Jump to solution

ttchorz
Path Finder
‎10-07-2015 08:23 AM

I actually did a change - changed the index for network devices from main to network_cisco.
I guess this is causing the problem now. Where in the .conf files I point to the new index?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...