Hi All,
I thought I would put up a solution that I found out for myself the hard way.
Version:3.1.1
Issue:
After using props.conf / transforms.conf to move your firewall data to a different index (not main). Your dashboard is empty in the cisco security suite.
Solution:
For completeness sake I will show you my props and transforms
transforms.conf
[set_index_firewall]
REGEX = \%FWSM\-\d{1}\-\d{5}
DEST_KEY = _MetaData:Index
FORMAT = firewallIndex
props.conf
[host::(x.x.x.x)]
#Sends Cisco Firewall Log to index firewallIndex replace x.x.x.x with your firewall IP.
TRANSFORMS-SetNetwork Devices = set_index_firewall
Now for the reason why you dont get any results......
In $SPLUNKHOME/etc/apps/Splunk_CiscoSecuritySuite/default there is a file called savedsearches.conf. You will notice that under each stanza i.e. [Cisco Security Suite - Overview - Global Security Events Map] there is a field called 'search = '
For example:
[Cisco Security Suite - Overview - Global Security Events Map]
search = eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=`local-ip-list(src_ip)` | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-" | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
As an admin (other splunkers correct me if I am wrong) the default index you search is 'main'. When you throw the above search into Splunk you will get no results as the index you are wanting to search is not the default one.
So how do you fix it. Before eventtype= add 'index=yourindexname
I added firewallIndex So the line looks like this
[Cisco Security Suite - Overview - Global Security Events Map]
search = index=firewallIndex eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=`local-ip-list(src_ip)` | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-" | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
Now add add 'index=yourindexname throughout the file, save it and copy to $SPLUNKHOME/ etc/apps/Splunk_CiscoSecuritySuite/local (create the folder if it doesn't exist).
Wala it works now :).
Hope this helps someone else.
... View more