I have a distributed environment:
Splunk Enterprise 7.2.4
All infrastructure is RHEL 7.x
Search head cluster (5 search heads)
Multisite Index cluster (20 indexers)
Cisco devices -sending data to--> rsyslog server --> UF collects logs and sends to --> Index cluster (sourcetype=syslog)
I have installed the cisco_ios app on my search head cluster
I have installed the TA-cisco_ios add-on on my search heads and on my indexers
sourcetype = syslog
index = something_that_meets_my_naming_standards
From what I'm reading in the docs it doesn't look like I need to change anything in the TA or the App to include my custom index name. The data is tagged as syslog and I can search the logs within my index but the Cisco dashboards don't find anything.
What am I missing here?
↧