The Cisco Nexus 9k Add-on for Splunk Enterprise provides a scripted input for Splunk that automatically extracts response of CLI commands of Cisco Nexus 9000 Switches.Moreover, this app gathers Syslog from Cisco Nexus 9000 Switches and provide the same to the main app.
Splunk indexer system should have 4 GB of RAM and a quad-core cpu to run this app smoothly
1) Add-on app, which runs collector scripts and gathers data from ACI environment, does indexing on it and provides indexed data to Main app.
2) Main app, which receives indexed data from Add-on app, runs searches on it and builds dashboard using indexed data.
This App can be set up in two ways:
1) Standalone Mode: Install main app and Add-on app on a single machine.
2) Distributed Environment: Install main app and Add-on app on search head and only Add-on app on forwarder system.
* Here also both the apps resides on search head machine, but no need to enable input scripts on search head.
* Only Add-on app required to be installed on forwarder system.
* Execute the following command to forward the collected data to the search head.
/opt/splunk/bin/splunk add forward-server <search_head_ip_address>:9997
* On Search head machine, enable event listening on port 9997 (recommended by Splunk).
* Main app on search head uses the received data and builds dashboards on it.
Restart Splunk.
Note: If the previous version of App is already installed, remove the TA_cisco-Nexus-9k folder from Splunk app folder before installation of newer version or the user can upgrade the app from Splunk UI.
Please disable all the scripted inputs before upgrading Add-on(TA_cisco-Nexus-9k).
* Download the App package
* From the UI navigate to Apps->Manage Apps
* In the top right corner select "Install app from file"
* Select "Choose File" and select the App package
* Check Upgrade App
* Select "Upload" and follow the prompts.
#### OR
* If newer version is available on splunkbase, then App/Add-on can be updated from UI also.
* From the UI navigate to Apps->Manage Apps
OR click on gear icon
* Search for Cisco Nexus 9k App/Add-on
* Click on 'Update to <version>'
under Version Column.
After successfully upgrading the Add-on(TA_cisco-Nexus-9k) follow the below steps.
* If the app is upgraded from version 1.0/1.1 to the latest version, the user needs to create custom index named "n9000", because on upgrading "n9000" index will be deleted so index needs to created for searching data and also indexing new coming data.
* Steps to create custom index is mentioned in section: Create your own index.
* If Add-on in configured on Windows environment, perform following steps:
* Copy the content of "default/inputs.conf.WINDOWS to default/inputs.conf"
This section provides the steps to uninstall App from a standalone Splunk platform installation.
$SPLUNK_HOME/bin/splunk clean eventdata -index <index_name>
Delete the app and its directory. The app and its directory are typically located in the folder$SPLUNK_HOME/etc/apps/<appname> or run the following command in the CLI:
$SPLUNK_HOME/bin/splunk remove app [appname] -auth <splunk username>:<splunk password>
You may need to remove user-specific directories created for your app by deleting any files found here: $SPLUNK_HOME/bin/etc/users/*/<appname>
Restart the Splunk platform.You can navigate to Settings -> Server controls and click the restart button in splunk web UI or use the following splunk CLI command to restart splunk:
This file contains filename paths which are different based on your OS platform. The app is configured out of the box to work for Unix/Linux/Mac OS systems. If you are running this app on a Windows system, perform the following steps:
1. Copy the content of "default/inputs.conf.WINDOWS to default/inputs.conf"
2. Now, Copy and Paste that default/inputs.conf to local/inputs.conf
3. Restart Splunk
After TA App is configured to receive data from nexus 9k switches, The main app dashboard can take some time before the data is populated in all panels. A good test to see that you are receiving all of the data is to run this search after several minutes:
index=main | stats count by sourcetype
In particular, you should see this sourcetype: * cisco:nexus:json
If you don't see these sourcetype, have a look at the messages output by the scripted input: Collect.py. Here is a sample search that will show them * index=_internal component="ExecProcessor" collect.py "Nexus Error"| table _time host log_level message
If you are using this App/Add-on on Windows environment, then also take a look at output of following search query: * index=_internal component=ConfPathMapper TA_cisco-Nexus-9k
if you get Access Denied
error in output like:
WARN ConfPathMapper - Failed to open: C:\Program Files\Splunk\etc\apps\TA_cisco-Nexus-9k\local\cisco_nexus_setup.conf: Access is denied.
Then, you need to change the permission of cisco_nexus_setup.conf file under TA_cisco-Nexus-9k\local folder. follow below steps.
* Right Click on local/cisco_nexus_setup.conf -> properties -> security. if there is no permission for SYSTEM then follow below steps.
* Right Click on local/cisco_nexus_setup.conf -> properties -> security -> click on Edit -> Add -> enter "SYSTEM" in box area -> click Check Names -> OK -> under Permission for SYSTEM Allow it Full Control -> OK
* Same way give Read Permission to “Everyone“
* Restart Splunk
1) Configure from UI
2) Configure from Backend
NOTE: If you want to index data in different sourcetype, perform below steps:
Field names are case sensitive in the nexus 9k. Every event starts with the timestamp, and always contains device from which that particular event came.For simplification we can add one additional field in each event named "component" and provide appropriate value to it so that we can easily segregate the data on the basis of its component name.
Below are two sample event records. First one gives system resource details in Json format and the other one gives accounting logs in key=value form as a raw data.
1)
{"device": "x.x.x.x", "timestamp": "2014-06-23 01:20:19", "Row_info": {"cpuid": "0", "kernel": "0.99", "idle": "99.00", "user": "0.00"}, "component": "nxresource"}
{"device": "x.x.x.x", "timestamp": "2014-06-23 01:20:19", "Row_info": {"cpuid": "1", "kernel": "0.00", "idle": "100.00", "user": "0.00"}, "component": "nxresource"}
{"device": "x.x.x.x", "timestamp": "2014-06-23 01:20:19", "Row_info": {"cpuid": "2", "kernel": "0.00", "idle": "100.00", "user": "0.00"}, "component": "nxresource"}
{"device": "x.x.x.x", "timestamp": "2014-06-23 01:20:19", "Row_info": {"cpuid": "3", "kernel": "0.00", "idle": "100.00", "user": "0.00"}, "component": "nxresource"}
2)
{"device": "x.x.x.x", "Row_info": {"hw": "0.1010", "sw": "6.1(2)I2(2a)", "modwwn": "1", "slottype": "LC1"}, "timestamp": "2015-01-01 09:05:08", "component": "nxinventory"}
This app is provided with sample data which can be used to generate dummy data. To simulate this sample data, first of all Splunk Event generator, which is available at https://github.com/splunk/eventgen, needs to be installed at $SPLUNK_HOME/etc/apps/. This app generates the dummy data for Cisco Nexus 9k switches and populates the dashboards of main app with the dummy data.
v2.1.0 * Added support of Splunk 8.x * Made Add-on Python2 and Python3 compatible
v2.0.1 * Added validation on setup page to suffice cloud cert checks * Provided backend configurable http_scheme for on-prem user who wants to collect data over an unencrypted network
• This app is supported by Cisco Systems.
• Please ask questions by creating a TAC case on https://globalcontacts.cloudapps.cisco.com/contacts/contactDetails/en_US/c1o1-c2o2-c3o8 OR contact us at 1 800 553 2447 or 1 408 526 7209
Added support of Splunk 8.x
Made Add-on Python2 and Python3 compatible
Version v2.0.1
Added validation on setup page to suffice cloud cert checks
Provided backend configurable http_scheme for on-prem user who wants to collect data over an unencrypted network
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.