Configure Cisco Catalyst Center and Cisco Meraki alerts for ITSI 4.20.x and higher

Configure Cisco Catalyst Center and Cisco Meraki alerts for ITSI 4.20.x and higher using the generic data integrations.

Note:

The generic data integrations described on this page are only required if you want to ingest alerts to ITSI 4.20.x.
If you want to ingest alerts to ITSI 4.21.x and higher, you can use the generic data integrations described on this page or the specific data integrations for Cisco Catalyst Center and Cisco Meraki described on Configure alerts for ITSI 4.21.x and higher. The best practice is to use the specific data integrations, which contain default connections and templates to map data fields to normalize alerts for new connections.
If you were using ITSI 4.20.x and configured the generic data integrations, upgrading to ITSI 4.21.x and higher will not automatically migrate you to the specific data integrations. The generic data integrations will still be functional. To optionally switch to the specific data integrations, deactivate your connection(s) in the generic data integrations and follow the steps in Configure alerts for ITSI 4.21.x and higher.

The Cisco Catalyst Add-On for Splunk and Cisco Meraki Add-on for Splunk do not normalize alerts data. To ingest and normalize alerts from Cisco Catalyst Center or Cisco Meraki to ITSI 4.20.x and higher, you can set up generic data integrations for alerts.

The generic data integrations require manually mapping data fields to normalize alerts.

For more information about data normalization, see Overview of the Splunk Common Information Model.

Configure a generic data integration for Cisco Catalyst Center alerts

Complete the following steps to configure a generic data integration for Cisco Catalyst Center alerts.

From the ITSI main menu, select Configurations, then Data Integrations.
The Integrations library tab is selected by default. Under Alerts, select Generic.
Enter a Title for the data connection, such as Cisco Catalyst Center.
Under Select data ingest method, the Indexed data (Splunk, add-on) tab is selected by default. Enter and validate the index:
1. For * Search, enter `itsi_cp_catalyst_center_index` sourcetype="cisco:dnac:issue".
  Note: If you are ingesting Cisco Catalyst Center alerts from a different index, change itsi_cp_catalyst_center_index to the correct index.
2. Select a Lookback period.
3. Select Validate.

Under Map data fields for ingest and configuration, configure the following field mappings:


Field name	Field type	Field value
* Source =	Composition	`Field:DeviceName`
* Signature =	Composition	`Field:IssueSpecificName`
* Vendor Severity =	Composition	`Field: IssueSpecificPriority`
* Severity ID =	Mapping rule - Values case mapping	If `Field:vendor_severity` is equal to (not case sensitive) `P1` then use `Critical` If `Field:vendor_severity` is equal to (not case sensitive) `P2` then use `High` If `Field:vendor_severity` is equal to (not case sensitive) P3 then use `Medium` If `Field:vendor_severity` is equal to (not case sensitive) P4 then use `Low` else use this default value `Info`
* Title =	Composition	`Field:IssueSpecificName` `-` `Field:DeviceName` Note: You must enter 3 text values in this order, including the “-” symbol. Do not add spaces between the values.
* Owner =	Composition	`unassigned`
* Status =	Mapping rule - Value case mapping	If `Field:IssueStatus` is equal to (not case sensitive) `resolved` then use `Resolved` else use this default value `New`
* Subcomponent =	Mapping rule - Coalesce	`Field: subcomponent` else use this default value `-` Note: Set the default value to the "-" symbol to represent a text value.
ITSI Drilldown Search	Composition	`Field:itsiDrilldownSearch`
ITSI Drilldown earliest offset	Mapping rule - Coalesce	`Field:itsiDrilldownEarliestOffset` Else use this default value `-900`
ITSI Drilldown latest offset	Mapping rule - Coalesce	`Field:itsiDrilldownLatestOffset` Else use this default value `900`

Under Association, enter SiteNameHierarchy as the value for the Entity Lookup Field.
Select Save and activate.

Configure a generic data integration for Cisco Meraki alerts

Complete the following steps to configure a generic data integration for Cisco Meraki alerts.

From the ITSI main menu, select Configurations, then Data Integrations.
The Integrations library tab is selected by default. Under Alerts, select Generic.
Enter a Title for the data connection, such as Cisco Meraki.
Under Select data ingest method, the Indexed data (Splunk, add-on) tab is selected by default. Enter and validate the index:
1. For * Search, enter `meraki_index` sourcetype="meraki:assurancealerts".
  Note: If you are ingesting Cisco Meraki alerts from a different index, change meraki_index to the correct index.
2. Select a Lookback period.
3. Select Validate.

Under Map data fields for ingest and configuration, configure the following field mappings:


Field name	Field type	Field value
* Source =	Composition	`Field:network.name`
* Signature =	Composition	`Field:type`
Vendor Severity =	Composition	`Field:severity`
Severity ID =	Mapping rule - Value case mapping	If `Field:vendor_severity` is equal to (not case sensitive) `critical` then use `Critical` If `Field:vendor_severity` is equal to (not case sensitive) `warning` then use `Medium` If `Field:vendor_severity` is equal to (not case sensitive) `informational` then use `Info` Else use this default value `Info`
* Title =	Mapping rule - Value case mapping	If `Field:scope.devices{}.nam`e is not `null` then use `Field:title` `-` `Field:scope.devices{}.name` Note: You must enter 3 text values in this order, including the "-" symbol. Do not add spaces between the values. Else if `Field:scope.applications{}.name` is not `null`, then use `Field:title` `-` `Field:scope.applications{}.name` Note: Note: You must enter 3 text values in this order, including the "-" symbol. Do not add spaces between the values. Else use this default value `Field:title`
* Owner =	Composition	`unassigned`
* Status =	Composition	`New`
* Subcomponent =	Mapping rule - Value case mapping	If `Field:scope.devices{}.name` is not `null` then use `Field:scope.devices{}.name` `-` `Field:scope.devices{}.productType` Note: You must enter 3 text values in this order, including the "-" symbol. Do not add spaces between the values. Else if `Field:scope.applications{}.name` is not `null` Then use `Field:scope.applications{}.name` Else use this default value `-`
* Alert Identifier Fields =	Composition	`Field:signature` `-` `Field:src` `-` `Field:subcomponent` Note: You must enter 5 text values in this order, including the "-" symbols.
Description =	Mapping rule - Value case mapping	If `Field:description` is not equal to `null` Then use `Field:description` Else if `Field:detailedDescription` is not equal to `null` Then use `Field:detailedDescriptionElse` Else use this default value `Field:title`
App =	Composition	`Field:app`
ITSI Drilldown search =	Composition	`Field:itsiDrilldownSearch`
ITSI Drilldown earliest offset =	Mapping rule - Coalesce	`Field:itsiDrilldownEarliestOffset` Else use this default value `-900`
ITSI Drilldown latest offset =	Mapping rule - Coalesce	`Field:itsiDrilldownLatestOffset` Else use this default value `900`
ITSI Drilldown Website Name =	Mapping rule - Value case mapping	If `Field:scope.devices{}.url` is not `null` Then use `Field:scope.devices{}.url` Else if `Field:scope.applications{}.url` is not `null` Then use `Field:scope.applications{}.url` Else use this default value `Sorry, no external drilldown available`
ITSI Drilldown Website URL	Mapping rule - Value case mapping	If `Field:scope.devices{}.url` is not `null` Then use `Field:scope.devices{}.url` Else if `Field:scope.applications{}.url` is not `null` Then use `Field:scope.applications{}.url` Else use this default value `https://splunk.com`

Under Association, enter SiteNameHierarchy as the value for the Entity Lookup Field.
Select Save and activate.

Documentation

Configure Cisco Catalyst Center and Cisco Meraki alerts for ITSI 4.20.x and higher

Configure a generic data integration for Cisco Catalyst Center alerts

Configure a generic data integration for Cisco Meraki alerts