Configure Cisco Nexus Dashboard alerts for ITSI 4.20.x and higher

The Cisco DC Networking App for Splunk does not normalize alerts data. To ingest and normalize alerts from Cisco Nexus Dashboard to ITSI 4.20.x and higher, you can set up a generic data integration.

The generic data integration requires manually mapping data fields to normalize alerts.

For more information about data normalization, see Overview of the Splunk Common Information Model.

Configure a generic data integration for Cisco Nexus Dashboard alerts

Complete the following steps to configure a generic data integration for Cisco Nexus Dashboard alerts.

1. From the ITSI main menu, select Configuration > Data Integrations.

2. The Integrations library tab is selected by default. Under Alerts, select Generic.

3. Enter a Title for the data connection, such as Cisco Nexus Dashboard.

4. Under Select data ingest method, enter and validate the index:

   1. For * Search, enter:

      CODECopy

      `cisco_dc_nd_index` sourcetype IN ("cisco:dc:nd:anomalies", "cisco:dc:nd:advisories") | mvexpand node_names | rename node_names as node_name | eval itsi_entity_id = fabricName.":".node_name

      `cisco_dc_nd_index` sourcetype IN ("cisco:dc:nd:anomalies", "cisco:dc:nd:advisories") 
      | mvexpand node_names
      | rename node_names as node_name
      | eval itsi_entity_id = fabricName.":".node_name

      Note: If you are ingesting Cisco Nexus Dashboard alerts from a different index, change cisco_dc_nd_index to the correct index.
   2. Select a Lookback period.

   3. Select Validate.

5. Under Map data fields for ingest and configuration, configure the following field mappings:

   Field name	Field type	Field value
   Source =	Composition	Field: node_name
   Signature =	Composition	Field: signature
   Vendor Severity =	Composition	Field: vendor_severity
   Severity ID =	Mapping rule - Value case mapping	If vendor_severity is equal to (not case sensitive) critical then use Critical If Field:vendor_severity is equal to (not case sensitive) major then use High If Field:vendor_severity is equal to (not case sensitive) minor then use Medium If Field:vendor_severity is equal to (not case sensitive) warning then use Low If Field:vendor_severity is equal to (not case sensitive) normal then use Normal If Field:vendor_severity is equal to (not case sensitive) info then use Info Else use this default value Low
   Title =	Mapping rule - Value case mapping	If Field:alertType is equal to (not case sensitive) advisory then use Field:title Else use default values: Field: fabricName - Field: signature - Field: src Note: You must enter 4 text values in this order, including the "-" symbols. Do not add spaces between the values.
   Owner =	Composition	unassigned
   Status =	Composition	New
   Subcomponent =	Composition	Field: entityName
   Alert Identifier Fields =	Composition	Field: id
   Description =	Composition	Field: description
   App =	Composition	Field: app
   ITSI Drilldown Search Name =	Composition	Field: itsiDrilldownSearchName
   ITSI Drilldown Search =	Composition	Field:itsiDrilldownSearch
   ITSI Drilldown earliest offset =	Mapping rule - Coalesce	Field: itsiDrilldownEarliestOffset Else use default value -900
   ITSI Drilldown latest offset =	Mapping rule - Coalesce	Field: itsiDrilldownLatestOffset Else use default value 900

6. Under Association, enter itsi_entity_id as the value for the Entity Lookup Field.

7. Select Save and activate.