Re: Cisco IOS and TA not showing data in dashboard...

morphis72 · ‎10-11-2019

I have a distributed environment:
Splunk Enterprise 7.2.4
All infrastructure is RHEL 7.x
Search head cluster (5 search heads)
Multisite Index cluster (20 indexers)
Cisco devices -sending data to--> rsyslog server --> UF collects logs and sends to --> Index cluster (sourcetype=syslog)

I have installed the cisco_ios app on my search head cluster
I have installed the TA-cisco_ios add-on on my search heads and on my indexers
sourcetype = syslog
index = something_that_meets_my_naming_standards

From what I'm reading in the docs it doesn't look like I need to change anything in the TA or the App to include my custom index name. The data is tagged as syslog and I can search the logs within my index but the Cisco dashboards don't find anything.

What am I missing here?

mbjerkeland_spl · ‎10-11-2019

There is a base eventtype you can adapt in the app. I believe it is the first one in eventtypes.conf. Just add your index name to that macro.

A different approach would be to change your roles to automatically search that index by default.

morphis72 · ‎10-14-2019

Here are the first few stanzas in eventyptes.conf. Do I add index=myindexname to each stanza in the file or to a specific one?

 [cisco_ios-acl_log]

[cisco_ios-duplex_mismatch]
search = eventtype=cisco_ios mnemonic=DUPLEX_MISMATCH OR (facility=LWAPP mnemonic=AP_DUPLEX_MISMATCH)

[cisco_ios-native_vlan_mismatch]
search = eventtype=cisco_ios mnemonic=NATIVE_VLAN_MISMATCH

[cisco_ios-port_down]

[cisco_ios-port_up]

[cisco_ios-if_attached]
search = eventtype=cisco_ios facility=VIM mnemonic=IF_ATTACHED

[cisco_ios-stackmgr]
search = eventtype=cisco_ios facility=STACKMGR

mbjerkeland_spl · ‎10-14-2019

Add the index name as index=something to the stanza called cisco_ios

You will see that one referenced in the other stanzas

morphis72 · ‎10-14-2019

Do I need to make any changes to the app? I don't see an eventtype.conf in the companion app but I do see a macro. In macro.conf would I set the index below?

[cisco_ios_index]
definition = (index=*)

[sla-sec2time(2)]
args = seconds,output_field
definition = eval sec2time_days=floor($seconds$/24/3600) | eval sec2time_hours=floor(($seconds$/3600)-(sec2time_days*24)) | eval sec2time_minutes = floor(($seconds$ / 60) - (sec2time_days*60*24) - (sec2time_hours * 60)) | eval sec2time_seconds = floor($seconds$ - (sec2time_days*3600*24) - (sec2time_hours * 3600) - (sec2time_minutes * 60)) | strcat sec2time_days " days " sec2time_hours "h " sec2time_minutes "m " sec2time_seconds "s" $output_field$
iseval = 0

[normalize-int(3)]
args = int_prefix_long,int_suffix,output_field
definition = eval $output_field$=$int_prefix_long$+$int_suffix$
iseval = 0

## Calling these requires the commercial "TA-cisco_ios-multi_tenancy" add-on
## BEGIN
[check_multi_tenancy]
iseval = 0
definition = rest splunk_server=local /services/apps/local/ | search title=TA-cisco_ios-multi_tenancy disabled=0

[get_tenants_for_user_role(1)]
args=user
definition = inputlookup cisco_ios_tenants | stats values(index) AS index BY tenant_name,roles | eval index=mvjoin(index,",") | eval index=replace(index,","," OR index=") | eval index="index=" + index | search [| rest splunk_server=local /services/authentication/users/$user$ | fields roles]
iseval = 0
## END

richgalloway · ‎10-11-2019

Edit the dashboards to see what index they are looking for. Change them to use your index.

---
If this reply helps you, Karma would be appreciated.

morphis72 · ‎10-11-2019

I searched the whole app recursive and couldn’t find an index=

Also don’t see a macro that it might be referring to.

Cisco IOS and TA not showing data in dashboards

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?