Integrated Enterprise Value for Cisco data

Integrated Enterprise Value (IEV) provides new value for Cisco data that is ingested into Splunk.

Integrated Enterprise Value (IEV) is a Splunk benefit for eligible Cisco-generated data. When Cisco data is ingested into Splunk with a supported sourcetype, that eligible data counts at a 0.5x weighted ingest rate for applicable entitlement consumption. For example, 20 GB/day of eligible Cisco data counts as 10 GB/day of effective commercial consumption.

IEV does not change the actual amount of data stored, indexed, retained, or searched in Splunk. Customers should continue to size Splunk environments, including Splunk Cloud Platform environments, based on actual data volume and expected search activity.

IEV availability, eligibility, and use remain subject to the customer's order, applicable offering terms, the Splunk General Terms, and this supported sourcetype list.

Note: Splunk will review the supported sourcetype reference at reasonable, regular intervals and may update it as additional Cisco data sources, add-ons, or source types are validated. This reference identifies known supported source types and Cisco product scope; it is not intended to list every eligible source type variation.

How IEV adds value

With IEV, eligible Cisco data counts against supported Splunk ingest entitlement at a 50% lower weighted rate, giving customers twice the license value for eligible Cisco data compared with standard ingest treatment. This improves the economics of using Splunk as the intelligence layer for Cisco data. With eligible Cisco data searchable in Splunk, customers can use their existing Splunk workflows for investigation, correlation, reporting, detection, and operational analysis.

Prerequisites

To qualify for IEV treatment, Cisco data must meet all of the following requirements:

  • The data must be generated by a Cisco product, service, device, or supported Cisco integration.

  • The data must be ingested into Splunk using one of the supported sourcetype values listed on this page.

  • The customer must preserve the supported sourcetype value during ingestion. Custom, renamed, generic, or wildcard-only source types do not qualify unless Splunk explicitly maps them to a supported value.

  • The customer must use applicable Splunk data onboarding, add-on, and configuration guidance for the relevant Cisco source.

  • The customer environment must have sufficient capacity for the actual ingest, retention, and search workload. The weighted rate affects entitlement consumption; it does not reduce physical workload.

  • Splunk must be able to validate eligible Cisco usage through available product usage data, reporting, or other approved validation mechanisms.

License scope

IEV applies to eligible Cisco ingest under supported Splunk ingest-based license and pricing paths, subject to the customer's order and applicable terms. Covered scope includes:

  • Splunk Enterprise: Ingest >100GB/day license

  • Splunk Cloud Platform: Ingest license.

IEV does not apply to non-ingest pricing metrics unless expressly included in the customer's applicable terms. For example, IEV does not change SVC, vCPU, workload, search, or federated search consumption.

Dashboard reporting

Splunk plans to update Cloud Monitoring Console (CMC) and Monitoring Console (MC) reporting so customers can more easily see Cisco and non-Cisco usage, eligible Cisco sourcetype consumption, and weighted entitlement consumption. These dashboard changes are coming soon.

Until those updates are available, customers should contact their Splunk account team for the most accurate Cisco sourcetype consumption and IEV-weighted entitlement view.

What is not eligible

The following data does not qualify for IEV treatment unless Splunk separately validates and adds it to the supported list:

  • Non-Cisco data.

  • Cisco data that uses generic source types such as json, csv, or a customer-specific parser name.

  • Cisco data with a renamed or custom sourcetype.

  • Wildcard discovery patterns such as cisco:*, cisco*, meraki:*, or meraki*. These patterns can help find Cisco data, but they are not literal eligibility keys.

  • Add-on operational logs, internal diagnostics, or modular input logs that are not listed as supported sourcetypes.

How entitlement consumption is calculated

Use actual workload for platform sizing and weighted consumption for applicable commercial entitlement.

E)

CODE
Effective commercial consumption = non-Cisco or ineligible ingest + (0.5 x eligible Cisco ingest
            Actual workload = non-Cisco or ineligible ingest + eligible Cisco ingest

Example: If a customer ingests 600 GB/day of eligible Cisco data and 200 GB/day of non-Cisco data, effective commercial consumption is 500 GB/day. The actual workload remains at 800 GB/day.

Supported Add-ons and Apps for Cisco data onboarding

Customers should use the supported Splunkbase Technical Add-ons (TAs) and Apps for the relevant Cisco products when onboarding Cisco data into Splunk. These add-ons and apps provide the supported path for parsing, field extraction, source type assignment, and product-specific data onboarding.

Supported Splunk add-on or app Cisco Products and Data scope

Cisco Security Cloud

Cisco security cloud integrations and Cisco security products, including Secure Firewall, FTD/eStreamer, Firepower, Sourcefire, Snort, Secure Endpoint, Secure Network Analytics/Stealthwatch, XDR, Duo, Email Threat Defense, AI Defense, Identity Intelligence, Secure Malware Analytics, Secure Workload, Multicloud Defense, Network Visibility Module, Endpoint Visibility Module, Isovalent, Vulnerability Intelligence, AnyConnect/Secure Client, and related Security Cloud/SBG data.

Splunk Add-on for Cisco ASA

Cisco ASA, Secure Firewall Threat Defense, Firepower, Sourcefire, Snort, Secure Network Analytics/Stealthwatch flow data, and related firewall syslog source types.

Cisco Secure Access Add-on for Splunk

Cisco Secure Access, Umbrella/OpenDNS, Cloudlock, DNS, proxy, firewall, private access, ZTNA, RAVPN, DLP, intrusion, web, and related SSE data.

Cisco Meraki Add-on for Splunk

Cisco Meraki networks, devices, organizations, access points, wireless, switches, security appliances, cameras, sensors, firewall, flow, webhook, licensing, firmware, and API data.

Cisco Catalyst Add-on for Splunk

Cisco Catalyst, Catalyst Center/DNAC, Catalyst SD-WAN/Viptela, IOS, Cyber Vision, ISE analytics, ACS-related network access data, access points, WLC, routers, switches, and related network infrastructure data.

Splunk Add-on for Cisco ISE

Cisco Identity Services Engine authentication, authorization, policy, TACACS, RADIUS, security-group, and ACS-related network access data.

Cisco DC Networking

Cisco ACI, Nexus Dashboard, Nexus switches, MSO, syslog, endpoint, flow, protocol, fabric, health, class, managed object, and statistics data.

Cisco Intersight Add-on for Splunk

Cisco Intersight alarms, audit records, compute, fabric, network, inventory, metrics, profiles, pools, targets, contracts, advisories, and licenses.

Splunk Add-on for Cisco ESA

Cisco Secure Email Gateway / ESA authentication, mail, AMP, antispam, delivery, bounce, system, and summary email data.

Splunk Add-on for Cisco WSA

Cisco Web Security Appliance proxy, W3C, L4TM, squid, and syslog data.

Splunk Add-on for Cisco UCS

Cisco Unified Computing System and Integrated Management Controller data.

Cisco ThousandEyes App for Splunk

Cisco ThousandEyes activity, alerts, events, metrics, traces, path visualization, and related data.

Cisco Talos Intelligence for Enterprise Security Cloud

Cisco Talos domain, IP, and URL intelligence data.

Supported Cisco sourcetypes

This table is not intended to list every eligible source type variation; Splunk may extend the benefit to additional verifiable source types ingested from the listed Cisco products as those source types are reviewed and validated.

Cisco product Supported Splunk add-on or app Supported source types

Cisco Secure Firewall

Cisco Security Cloud

cisco:ftd:adv:conn, cisco:ftd:adv:dns, cisco:ftd:adv:ftp, cisco:ftd:adv:http, cisco:ftd:adv:notice, cisco:ftd:adv:weird, cisco:ftd:connection, cisco:ftd:connection:security, cisco:ftd:correlation, cisco:ftd:discovery, cisco:ftd:file, cisco:ftd:intrusion, cisco:ftd:intrusionpacket, cisco:ftd:malware, cisco:ftd:useractivity, cisco:sfw:estreamer, cisco:sfw:policy, cisco:ftd

Cisco Data Center Networking

Cisco DC Networking

cisco:dc:aci:authentication, cisco:dc:aci:class, cisco:dc:aci:health, cisco:dc:aci:managed_object, cisco:dc:aci:stats, cisco:dc:aci:syslog, cisco:dc:mso:syslog, cisco:dc:nd:advisories, cisco:dc:nd:anomalies, cisco:dc:nd:congestion, cisco:dc:nd:endpoints, cisco:dc:nd:flows, cisco:dc:nd:mso, cisco:dc:nd:protocols, cisco:dc:nd:syslog, cisco:dc:nexus9k, cisco:dc:nexus9k:dme, cisco:dc:nexus9k:syslog

Cisco Meraki

Cisco Meraki Add-on for Splunk

cisco:meraki, cisco:meraki:flow, cisco_meraki_log, meraki, meraki:accesspoints, meraki:airmarshal, meraki:apirequestshistory, meraki:apirequestsoverview, meraki:apirequestsresponsecodes, meraki:appliancesdwanstatistics, meraki:appliancesdwanstatuses, meraki:assurancealerts, meraki:audit, meraki:cameras, meraki:devices, meraki:devicesavailabilities, meraki:devicesavailabilitieschangehistory, meraki:devicesuplinksaddressesbydevice, meraki:devicesuplinkslossandlatency, meraki:firewall, meraki:firmwareupgrades, meraki:flows, meraki:licensescotermlicenses, meraki:licensesoverview, meraki:licensessubscriptionentitlements, meraki:licensessubscriptions, meraki:organizations, meraki:organizationsecurity, meraki:organizationsnetworks, meraki:portstransceiversreadingshistorybyswitch, meraki:powermodulesstatusesbydevice, meraki:securityappliances, meraki:sensorreadingshistory, meraki:summaryswitchpowerhistory, meraki:summarytopappliancesbyutilization, meraki:summarytopclientsbyusage, meraki:summarytopdevicesbyusage, meraki:summarytopswitchesbyenergyusage, meraki:switches, meraki:switchportsbyswitch, meraki:switchportsoverview, meraki:webhook, meraki:webhooklogs:api, meraki:wirelesscontrolleravailabilitieschangehistory, meraki:wirelesscontrollerdevicesinterfacespacketsoverviewbydevice, meraki:wirelesscontrollerdevicesinterfacesusagehistorybyinterval, meraki:wirelessdevicesethernetstatuses, meraki:wirelessdevicespacketlossbydevice, meraki:wirelessdeviceswirelesscontrollersbydevice

Cisco Access Control Server (ACS)

Cisco Catalyst Add-on for Splunk; Splunk Add-on for Cisco ISE

cisco:acs

Cisco AI Defense

Cisco Security Cloud

cisco:ai:defense, cisco:ai:defense:notable

Cisco AnyConnect / Cisco Secure Client

Cisco Security Cloud

cisco_anyconnect:vpn

Cisco Catalyst Center

Cisco Catalyst Add-on for Splunk

cisco:dnac:application:traffic, cisco:dnac:audit:logs, cisco:dnac:client, cisco:dnac:clienthealth, cisco:dnac:compliance, cisco:dnac:devicehealth, cisco:dnac:devicehealth:interface, cisco:dnac:issue, cisco:dnac:networkhealth, cisco:dnac:securityadvisory, cisco:dnac:site:topology, cisco:dnac:swim

Cisco Catalyst SD-WAN

Cisco Catalyst Add-on for Splunk

cisco:firewall:logs, cisco:sdwan, cisco:sdwan:acl:logs, cisco:sdwan:alert:off, cisco:sdwan:alert:on, cisco:sdwan:audit:logs, cisco:sdwan:block:host, cisco:sdwan:dmi:cli:engine:write:fail, cisco:sdwan:drop:pkt, cisco:sdwan:energy:stats, cisco:sdwan:host:tcp:alert:on, cisco:sdwan:linkhealth, cisco:sdwan:log:summary, cisco:sdwan:pass:pkt, cisco:sdwan:session:audit:trail, cisco:sdwan:session:audit:trail:start, cisco:sdwan:sessions:maximum, cisco:sdwan:sgacl:logs, cisco:sdwan:sitehealth, cisco:sdwan:smart:lic:platform:error, cisco:sdwan:ssetunnelhealth, cisco:sdwan:ssetunnels, cisco:sdwan:stream, cisco:sdwan:system:logs, cisco:sdwan:tunnelhealth, cisco:sdwan:unblock:host, cisco:sdwan:utd:logs, cisco:sdwan:utdhealth, viptela

Cisco Cyber Vision (CCV)

Cisco Catalyst Add-on for Splunk

cisco:cybervision:activities, cisco:cybervision:components, cisco:cybervision:devices, cisco:cybervision:events, cisco:cybervision:flows, cisco:cybervision:syslog, cisco:cybervision:vulnerabilities

Cisco Duo Security

Cisco Security Cloud

cisco:duo, cisco:duo:account, cisco:duo:activity, cisco:duo:administrator, cisco:duo:authentication, cisco:duo:authentication_v2, cisco:duo:endpoint, cisco:duo:telephony, cisco:duo:telephony_v2, cisco:duo:trust_monitor, cisco:duo:user

Note: Splunk will review the supported sourcetype list at reasonable, regular intervals and may update it as additional Cisco data sources, add-ons, or sourcetypes are validated.