Integrated Enterprise Value for Cisco data
Integrated Enterprise Value (IEV) provides new value for Cisco data that is ingested into Splunk.
Integrated Enterprise Value (IEV) is a Splunk benefit for eligible Cisco-generated data. When Cisco data is ingested into Splunk with a supported sourcetype, that eligible data counts at a 0.5x weighted ingest rate for applicable entitlement consumption. For example, 20 GB/day of eligible Cisco data counts as 10 GB/day of effective commercial consumption.
IEV does not change the actual amount of data stored, indexed, retained, or searched in Splunk. Customers should continue to size Splunk environments, including Splunk Cloud Platform environments, based on actual data volume and expected search activity.
IEV availability, eligibility, and use remain subject to the customer's order, applicable offering terms, the Splunk General Terms, and this supported sourcetype list.
How IEV adds value
With IEV, eligible Cisco data counts against supported Splunk ingest entitlement at a 50% lower weighted rate, giving customers twice the license value for eligible Cisco data compared with standard ingest treatment. This improves the economics of using Splunk as the intelligence layer for Cisco data. With eligible Cisco data searchable in Splunk, customers can use their existing Splunk workflows for investigation, correlation, reporting, detection, and operational analysis.
Prerequisites
To qualify for IEV treatment, Cisco data must meet all of the following requirements:
-
The data must be generated by a Cisco product, service, device, or supported Cisco integration.
-
The data must be ingested into Splunk using one of the supported
sourcetypevalues listed on this page. -
The customer must preserve the supported
sourcetypevalue during ingestion. Custom, renamed, generic, or wildcard-only source types do not qualify unless Splunk explicitly maps them to a supported value. -
The customer must use applicable Splunk data onboarding, add-on, and configuration guidance for the relevant Cisco source.
-
The customer environment must have sufficient capacity for the actual ingest, retention, and search workload. The weighted rate affects entitlement consumption; it does not reduce physical workload.
-
Splunk must be able to validate eligible Cisco usage through available product usage data, reporting, or other approved validation mechanisms.
License scope
IEV applies to eligible Cisco ingest under supported Splunk ingest-based license and pricing paths, subject to the customer's order and applicable terms. Covered scope includes:
-
Splunk Enterprise: Ingest >100GB/day license
-
Splunk Cloud Platform: Ingest license.
IEV does not apply to non-ingest pricing metrics unless expressly included in the customer's applicable terms. For example, IEV does not change SVC, vCPU, workload, search, or federated search consumption.
Dashboard reporting
Splunk plans to update Cloud Monitoring Console (CMC) and Monitoring Console (MC) reporting so customers can more easily see Cisco and non-Cisco usage, eligible Cisco sourcetype consumption, and weighted entitlement consumption. These dashboard changes are coming soon.
Until those updates are available, customers should contact their Splunk account team for the most accurate Cisco sourcetype consumption and IEV-weighted entitlement view.
What is not eligible
The following data does not qualify for IEV treatment unless Splunk separately validates and adds it to the supported list:
-
Non-Cisco data.
-
Cisco data that uses generic source types such as
json,csv, or a customer-specific parser name.
-
Cisco data with a renamed or custom
sourcetype.
-
Wildcard discovery patterns such as
cisco:*,cisco*,meraki:*, ormeraki*. These patterns can help find Cisco data, but they are not literal eligibility keys.
-
Add-on operational logs, internal diagnostics, or modular input logs that are not listed as supported sourcetypes.
How entitlement consumption is calculated
Use actual workload for platform sizing and weighted consumption for applicable commercial entitlement.
E)
Effective commercial consumption = non-Cisco or ineligible ingest + (0.5 x eligible Cisco ingest
Actual workload = non-Cisco or ineligible ingest + eligible Cisco ingest
Example: If a customer ingests 600 GB/day of eligible Cisco data and 200 GB/day of non-Cisco data, effective commercial consumption is 500 GB/day. The actual workload remains at 800 GB/day.
Supported Add-ons and Apps for Cisco data onboarding
Customers should use the supported Splunkbase Technical Add-ons (TAs) and Apps for the relevant Cisco products when onboarding Cisco data into Splunk. These add-ons and apps provide the supported path for parsing, field extraction, source type assignment, and product-specific data onboarding.
| Supported Splunk add-on or app | Cisco Products and Data scope |
|---|---|
|
Cisco security cloud integrations and Cisco security products, including Secure Firewall, FTD/eStreamer, Firepower, Sourcefire, Snort, Secure Endpoint, Secure Network Analytics/Stealthwatch, XDR, Duo, Email Threat Defense, AI Defense, Identity Intelligence, Secure Malware Analytics, Secure Workload, Multicloud Defense, Network Visibility Module, Endpoint Visibility Module, Isovalent, Vulnerability Intelligence, AnyConnect/Secure Client, and related Security Cloud/SBG data. |
|
|
Cisco ASA, Secure Firewall Threat Defense, Firepower, Sourcefire, Snort, Secure Network Analytics/Stealthwatch flow data, and related firewall syslog source types. |
|
|
Cisco Secure Access, Umbrella/OpenDNS, Cloudlock, DNS, proxy, firewall, private access, ZTNA, RAVPN, DLP, intrusion, web, and related SSE data. |
|
|
Cisco Meraki networks, devices, organizations, access points, wireless, switches, security appliances, cameras, sensors, firewall, flow, webhook, licensing, firmware, and API data. |
|
|
Cisco Catalyst, Catalyst Center/DNAC, Catalyst SD-WAN/Viptela, IOS, Cyber Vision, ISE analytics, ACS-related network access data, access points, WLC, routers, switches, and related network infrastructure data. |
|
|
Cisco Identity Services Engine authentication, authorization, policy, TACACS, RADIUS, security-group, and ACS-related network access data. |
|
|
Cisco ACI, Nexus Dashboard, Nexus switches, MSO, syslog, endpoint, flow, protocol, fabric, health, class, managed object, and statistics data. |
|
|
Cisco Intersight alarms, audit records, compute, fabric, network, inventory, metrics, profiles, pools, targets, contracts, advisories, and licenses. |
|
|
Cisco Secure Email Gateway / ESA authentication, mail, AMP, antispam, delivery, bounce, system, and summary email data. |
|
|
Cisco Web Security Appliance proxy, W3C, L4TM, squid, and syslog data. |
|
|
Cisco Unified Computing System and Integrated Management Controller data. |
|
|
Cisco ThousandEyes activity, alerts, events, metrics, traces, path visualization, and related data. |
|
|
Cisco Talos domain, IP, and URL intelligence data. |
Supported Cisco sourcetypes
This table is not intended to list every eligible source type variation; Splunk may extend the benefit to additional verifiable source types ingested from the listed Cisco products as those source types are reviewed and validated.
| Cisco product | Supported Splunk add-on or app | Supported source types |
|---|---|---|
|
Cisco Secure Firewall |
|
|
|
Cisco Data Center Networking |
|
|
|
Cisco Meraki |
|
|
|
Cisco Access Control Server (ACS) |
Cisco Catalyst Add-on for Splunk; Splunk Add-on for Cisco ISE |
|
|
Cisco AI Defense |
|
|
|
Cisco AnyConnect / Cisco Secure Client |
|
|
|
Cisco Catalyst Center |
|
|
|
Cisco Catalyst SD-WAN |
|
|
|
Cisco Cyber Vision (CCV) |
|
|
|
Cisco Duo Security |
|