Cisco Meraki data isn’t populating in the default service analyzer

How to troubleshoot if Cisco Meraki data isn’t populating in the default service analyzer.

Problem

Cisco Meraki data isn’t populating in the default service analyzer.

Causes

This issue could be caused by any of the following reasons:

  • The definition for the content pack search macro, `meraki_index`, doesn't point to the index used by the Cisco Meraki Add-on for Splunk. By default, the default value for the macro is index IN ("main"). If you used a different index when you configured the Cisco Meraki Add-on for Splunk, data will not populate in the service analyzer.

  • Data isn't being collected by the Cisco Meraki Add-on for Splunk.

  • Cisco Enterprise Network services aren't enabled. When you import services into the service sandbox, services are disabled by default. You must enable the services within the sandbox before you publish the sandbox, or enable them after publishing the sandbox.

Solutions

Solutions for if Cisco Meraki data isn’t populating in the default service analyzer.

Update the content pack search macro definition to point to the correct index for Cisco Meraki

Note: You must have the admin role to perform this step.

Complete the following steps to update the content pack search macro definition to point to the correct index.

  1. (Optional) If you need to create an index, see Create events indexes.

  2. Identify the index that the Cisco Meraki Add-on for Splunk uses:

    1. From the Splunk Enterprise main menu, select Apps, then select Splunk Add-on for Cisco Meraki.

    2. From the Cisco Meraki Add-On for Splunk main menu, select Inputs.

    3. In the table of inputs, use the Index column to identify the index for your inputs. By default, this index is set to main.

  3. Update the content pack search macro to use the same index as the add-on:

    1. From the Splunk Enterprise main menu, select Settings, then Advanced Search.

    2. Select Search Macros.

    3. In the App drop-down menu, select Splunk Add-on for Cisco Meraki (Splunk_TA_cisco_meraki).

    4. Select meraki_index.

    5. By default, the macro definition is set to index IN ("main"). In the Definition field, change the index value to the index used by the Cisco Meraki Add-on for Splunk.

    6. Select Save.

Troubleshoot data ingestion for the Cisco Meraki Add-On for Splunk

Complete the following steps to troubleshoot data ingestion for the Cisco Meraki Add-On for Splunk.

  1. Check that the required data inputs are enabled in the Cisco Meraki Add-On for Splunk:

    1. From the Splunk Enterprise main menu, select Apps, then select Splunk Add-On for Cisco Meraki.

    2. From the Cisco Meraki Add-On for Splunk main menu, select Inputs.

    3. In the table of inputs, enable the following inputs based on your use case.
      Data inputDescriptionsourcetype
      OrganizationsCollects data for service discovery and entity discovery searches.meraki:organizations
      Organizations NetworksCollects data for service discovery and entity discovery searches.meraki:organizationsnetworks
      Wireless Packet Loss by DeviceCollects data for dashboards and service KPIs.meraki:wirelessdevicespacketlossbydevice
      Device Availabilities Change HistoryCollects data for dashboards and service KPIs.meraki:devicesavailabilitieschangehistory
      Assurance AlertsCollects data for alerts, dashboards, and service KPIs.meraki:assurancealerts

  2. Check that the Cisco Meraki Add-On for Splunk index is collecting data:

    1. From the IT Service Intelligence (ITSI) main menu, select Search.

    2. In the Search field, enter `meraki_index` sourcetype=<sourcetype_name>. Replace <sourcetype_name> with the sourcetype for the input that you enabled. Refer to the previous step for the sourcetype names.

    3. Use the results to confirm if the Cisco Meraki Add-On for Splunk is collecting data from the input that you enabled. Repeat these steps for each data input.

  3. If data isn’t being collected for an input, check the _internal index (which stores Splunk Enterprise internal logs) to identify errors in the add-on:

    1. From the IT Service Intelligence (ITSI) main menu, select Search.

    2. In the Search field, enter index=_internal source=*meraki*.

    3. Use the results to identify and resolve errors in the add-on.

  4. For more troubleshooting instructions, see the Troubleshooting tab in the Splunkbase listing.

Enable Cisco Enterprise Network services

If you enabled Cisco Enterprise Network services in the sandbox before you published them, skip this step.

Complete the following steps to enable Cisco Enterprise Network services from the Service and KPI Management page.

  1. From the ITSI main menu, select Configuration, then Service Monitoring.

  2. Select Service and KPI Management.

  3. Select the Created by drop-down menu.

  4. Select the name of the sandbox you created for the Content Pack for Cisco Enterprise Networks. By default, the service import modules use the following sandbox naming conventions:

    1. Catalyst Center - <account_name>

    2. Meraki - <organization_id>

  5. To enable services, use one of the following methods:

    1. To individually enable services, select the toggle in the Status column to switch the status to Enabled.

    2. To bulk enable multiple services, check the boxes for the services you want to enable. Select Bulk Action, then Enable.