How do I install cisco network app and get it up and running?
That explains it. You need 6.1+ as stated on the app's download page.
If you upgraded from previous versions of the apps a total delete of the app's directories continued by a reinstall is recommended if you are having issues. A lot has changed.
I've already got Syslog data in NCS Prime and Solarwainds Orion. I'd rather collect data from these aggregate sources. Is this supported somehow?
Thanks,
David
Please create a new question/thread instead of reusing an existing one 🙂
New Cisco Splunk app we have installed is creating data models in local directory(we only have 13G of available space on local) and we are running out of space. Which is stopping complete Splunk and makes it unusable to anyone. temporarily disabled Cisco app and will enabled once we have solution.
I suggest you consult a Splunk professional to get your setup tuned. For the index where you store your IOS logs you need to set a tstatsHomePath to a volume that is outside of your Splunk working dir, i.e. where you store your data. See http://answers.splunk.com/answers/108183/how-to-change-the-path-of-datamodel-summary.html
It's not particularly complicated, but requires some knowledge about how Splunk stores accelerated indexes. Another option is to disable the acceleration of the Cisco IOS Event data model, but that will slow down your dashboards.
I can't provide any more answers as there have been numerous questions already in this thread, a lot of general and unrelated to the app.
We'd need an official response from Splunk to get a good answer. Generally all roles should run the same version, however minor version differences are ok unless there's a specific bug, so mixing i.e. 6.2.1 with 6.2.2 is ok. I would not mix 6.2 with 6.1 or 6.1 with 6.0 except in the interim while you are upgrading servers. Things may break and it's hard to predict what. Other times everything appears to work just fine.
You don't have to upgrade your forwarders.
Please vote or check helfpul answers as Accepted.
what would happen if indexer and searchhead are running different versions of splunk?
Thank you Sir, will upgrade and see how it goes from there.
I suspect you only have a single server Splunk instance. In this case add a new UDP input on port 514 and set sourcetype as "syslog". Leave source blank.
Next step is to install the Cisco Networks app and Cisco Networks add-on. This is done through Apps - Manage apps. The Cisco Networks app contains a Help page with information avout what you should configure on your Cisco devices.
If you need help installing apps in general I would recommend that you consult the Splunk Enterprise documentation at docs.splunk.com.
For distributed environments there are various ways you can collect the logs. I won't get into detail here, but for a best practice configuration you normally receive the logs with a Syslog daemon and forward the logs to your Splunk indexers with a Universal Forwarder. A Splunk consultant can help you get this set up properly. There's also good examples in the Splunk docs.
Does this app need smart call home to work?
No, not at all. Smart Call Home is only needed if you want to collect inventory data from your devices. Syslog suffices for most uses.
I'll clarify that in the docs.
ok, i have it installed correctly and udp is open but search data not being populated in the app
What if you do a manual search for:
index=* sourcetype=cisco:ios OR sourcetype=syslog
Do you see any data? Is the sourcetype syslog or cisco:ios? If it's syslog please paste the raw event here for me to see. If it's cisco:ios check the index. If the index is something else than main you need to go to Settings - access controls - roles - user rolec- indexes searched by default - add your index
Hi Mikael,
We have installed this app but not seeing any results on dashboards. I have changed default index=network_syslog to replicate ours.
I have tried running this dashboard searches with our index name and source(syslog) but it doesnot come back with results though we have data for
index=network_syslog sourcetype=syslog results are displayed
index=network_syslog sourcetype=syslog eventtype="cisco_ios-ipsla" | eval state=case(state_to == "Up", 1, state_to == "Down", -1) | strcat dvc " " ip_sla_id dvc_ip_sla_id | timechart avg(state) AS state BY dvc_ip_sla_id | fillnull value=0 no results founds
Do we need to configure anything on routers or network devices?
Hmm, try not setting source as syslog for your UDP input. Leave source empty. Sourcetype however can be set to syslog. Paste the event's contents as you see it in Splunk. Also let me know the sourcetype and source it shows up with. I'll run that through a regex match to check what's wrong.
Another trick might be to set:
no_appending_timestamp = true
For the UDP input. You'll have to do that in the config files though.
I have tried this settings but it does not work.
We have all our network devices sending logs to syslog-ng server(forwarder installed) from where logs are sent to Splunk indexers.
Do we need to do something on network devices to make this app work or above mechanism works?
can you please provide any documention for forwarders configurations to make this app work
I asked for an example log. If you could please provide one I am more than willing to help you.
Did you also install the Cisco Networks Add-on on your indexer? You need the add-on on your indexers. On the search head you need both the app and add-on.
we still don’t see data even after installing app on indexers. Add on on all indexers, app and add-on on search head. Screen shot attached.
Screenshot received by e-mail showing dashboards failing to load search results from peers/indexers (search ended prematurily)
Never seen this before. What Splunk version are you on?
I also need to see one of the log lines from your Cisco devices as indexed by Splunk. You mentioned that you saw them when you searched for sourcetype=syslog. I need the raw event as you see it in Splunk. No screenshots please.
You also mentioned that you opened up a UDP input but that you are using a syslog daemon. If you are indexing the files created by your syslog daemon you don't need to open up a UDP input on the Splunk server.
Please send me the contents of your monitor stanza for the syslog files in the inputs.conf on your syslog server.
Please also clarify whether you have installed
* TA-cisco_ios on your indexers
* cisco_networks and TA-cisco_ios on search heads
I appreciate it if you continue to post the questions online. There are other people out there who might be able to help. This is most likely not an issue directly related to the app, but to your specific configuration.
Mikael
Mikael, getting some data now but still a lot of data not showing up. Any ideas?