Why don’t I receive data from new sensors added to the Splunk Add-on for Cisco IPS?
There is a limitation in the number of credentials the
Splunk Add-on for Cisco IPS is able to retrieve. This issue is being tracked on ADDON-3724
and SPL-99756. Until the next release of the add-on, You may use the following
work-around to resolve this.
1. Navigate
to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/ directory
2. Edit
the get_ips_feed.py file
3. Line
55 should look like the following:
entities = entity.getEntities(['storage', 'passwords'],
namespace=APPNAME, owner='nobody', sessionKey=sessionKey)
4.
Add count=’-1’ after the sessionKey entity so the line looks like the
line below.
entities = entity.getEntities(['storage', 'passwords'],
namespace=APPNAME, owner='nobody', sessionKey=sessionKey, count='-1')
5. Save
the file.
6. Restart
Splunk
You should no longer receive the error messages in the
sdee_get.log file, and your data should start getting indexed.
... View more