The Cisco ACI App for Splunk Enterprise is used to build dashboards on indexed data provided by the "Cisco ACI Add-on for Splunk Enterprise" app.
This app delivers centralized, real-time visibility for applications and ACI infrastructures across the bare metal and virtualized environments.
Install the main app (Cisco ACI App for Splunk Enterprise) and Add-on (Cisco ACI Add-on for Splunk Enterprise) on a single machine. * Here both the app resides on a single machine. * The main app uses the data collected by the Add-on and build dashboards on it.
Restart Splunk
Note:
1) If a previous version of the App is already installed, remove the cisco-app-ACI folder from the Splunk app folder before the installation of a newer version or the user can upgrade the app from Splunk UI.
2) If in case cleaned Splunk eventdata, please make sure to delete the files ending with _LastTransactionTime.txt from TA_cisco-ACI/bin/ folder.
These files are saving timestamp to get only incremental data from APIC or MSO.
Ref documentation provided by "Cisco ACI Add-on for Splunk Enterprise" for Configuration of Add-on
Note: If a previous version of the Add-on is already installed, remove the TA_cisco-ACI folder from the Splunk app folder before installation of a newer version or the user can upgrade the app from Splunk UI.
If the user upgrades the app, it should be ensured that index, sourcetype, and interval must be mentioned for each input in local/inputs.conf
Please disable all the scripted inputs before upgrading Add-on(TA_cisco-ACI).
* Download the App package
* From the UI navigate to Apps-> Manage Apps
* In the top right corner select "Install app from file"
* Select "Choose File" and select the App package
* Check Upgrade App
* Select "Upload" and follow the prompts.
#### OR
* If a newer version is available on splunkbase, then App/Add-on can be updated from UI also.
* From the UI navigate to Apps-> Manage Apps
OR click on the gear icon
* Search for Cisco ACI App/Add-on
* Click on 'Update to <version>'
under Version Column.
Please follow the below steps.
'-stats'
is present, then perform the following steps.Restart Splunk
Follow below steps if you are collecting data using Certificate Based Authentication
in v4.3.0 OR v4.4.0 and Upgrading Add-on to v5.1.0
You need to convert your Private key to RSA Private key by running the following command in cmd.
Enable all the scripted inputs.
This section provides the steps to uninstall App from a standalone Splunk platform installation.
(Optional) If you want to remove data from Splunk database, you can use the below Splunk CLI clean command to remove indexed data from an app before deleting the app.
Delete the app and its directory. The app and its directory are typically located in the folder$SPLUNK_HOME/etc/apps/<appname> or run the following command in the CLI:
You may need to remove user-specific directories created for your app by deleting any files found here: $SPLUNK_HOME/bin/etc/users/*/<appname>
Restart the Splunk platform. You can navigate to Settings -> Server controls and click the restart button in Splunk web UI or use the following Splunk CLI command to restart Splunk:
Once the Add-on is configured to receive data from ACI, The main app dashboard can take some time before the data is populated in all panels. A good test to see that you are receiving all of the data is to run this search after several minutes:
index="<your index>" | stats count by sourcetype
Troubleshooting APIC configuration:
If you don't see these sourcetypes, have a look at the messages output by the scripted input: collect.py. Here is a sample search that will show them:
index=_internal component="ExecProcessor" collect.py "ACI Error:" | table _time host log_level message
Troubleshooting MSO configuration:
You can also see $SPLUNK_HOME/var/log/splunk/splunkd.log file to check if any error has occurred.
Below are two sample event records. The first one gives health detail for a tenant with the name "common" and the other one gives a fault detail for the same tenant.
1)
2014-04-25 00:38:07 dn=uni/tn-common/health status=created,modified updTs=2014-04-25T04:52:32.274+00:00 chng=0 cur=100 maxSev=cleared modTs=never twScore=100 rn=health prev=100 childAction= dn=uni/tn-common lcOwn=local ownerKey= name=common descr= status=created,modified monPolDn=uni/tn-common/monepg-default modTs=2014-04-23T22:14:01.702+00:00 ownerTag= uid=0 rn=tn-common childAction= component=fvTenant
2)
2014-04-25 00:38:08 status=created,modified domain=tenant code=F1228 occur=1 subject=contract severity=minor descr=Contract default configuration failed due to filter-not-present origSeverity=minor rn=fault-F1228 childAction= type=config dn=uni/tn-common/oobbrc-default/fault-F1228 prevSeverity=minor modTs=never highestSeverity=minor lc=raised changeSet= created=2014-04-23T22:24:37.274+00:00 ack=no cause=configuration-failed rule=vz-abrcp-configuration-failed lastTransition=2014-04-23T22:26:57.046+00:00 dn=uni/tn-common lcOwn=local ownerKey= name=common descr= status=created,modified monPolDn=uni/tn-common/monepg-default modTs=2014-04-23T22:14:01.702+00:00 ownerTag= uid=0 rn=tn-common childAction= component=fvTenant
Below are two sample event records. The first one gives policy detail for a policy named common_tenant_policy and the other one for mso_policy.
1)
current_time=2020-06-19 16:10:42 mso_host=x.x.x.x mso_api_endpoint=policyDetails version=1 provider_epgRef=/schemas/5eccc36d2d0000623d59b228/templates/Template2/anps/common_tenant_AP/epgs/common_tenant_EPG_1 provider_addr=1.2.3.4 provider_l3Ref= provider_tenantId=0000ffff0000000000000010 provider_externalEpgRef= tenantId=0000ffff0000000000000010 id=5ed5f8242a1d00df1aabe01b policySubtype=relay name=common_tenant_policy policyType=dhcp
2)
current_time=2020-06-19 16:10:42 mso_host=x.x.x.x mso_api_endpoint=policyDetails provider_epgRef=/schemas/5eccc36d2d0000623d59b228/templates/Template2/anps/common_tenant_AP/epgs/common_tenant_EPG_1 provider_addr=10.0.1.11 provider_l3Ref= provider_tenantId=0000ffff0000000000000010 provider_externalEpgRef= tenantId=5ecca9982d0000453759b150 id=5eec91755c1d0065269c37c6 policySubtype=relay name=mso_policy policyType=dhcp
This app stores the indexed data in accelerated datamodels and build dashboards by fetching data from datamodels. Below is the list of datamodels that have been created in the app.
Events - Maps to general information for all the MOs of class=eventrecord.
If you want to improve the performance of dashboards, you must need to enable the acceleration of datamodel. Please follow the below steps:
This app provides savedsearches that generate lookup files or send email alerts.
In addition to out-of-the-box reporting and analytics capabilities for your ACI environment, the app includes a set of pre-defined dashboards for specific user roles:
Helpdesk admin: Enables Help desk operator to analyze various faults in the system and escalate them to tenant or fabric admin accordingly. He will have access to only "Home", "Authentication" and "Helpdesk" dashboards.
Tenant admin: Enables Tenant admin to analyze and drill down faults and health related issues to a particular tenant. He can drill down into Applications, EPGs, and VM endpoints to identify a single point of failure within the admin. He will have access to only "Home", "Authentication" and "Tenants" Dashboards.
Fabric admin: Enables Fabric Admin to analyze physical network related issues. It gives visibility into fabric components of networks e.g. leaf, spine and it's physical components like chassis, ports, fan tray, line card, etc.
Tenant user: Enables Tenant User to manage a specific tenant and all of its components like Application, EPGs, and VMs. To create a Tenant user for tenant "ABC", follow the steps given below.
1) Create a role with the name "tenant_ABC". In search criteria put "dn=uni/tn-ABC/*".
2) Create a new user with the name user-ABC and apply the role of "tenant_ABC" to this user.
3) Edit the permission of Tenant Dashboard to provide read access to a user with the role "tenant_ABC".
The app also includes a set of MSO dashboards for specific use cases:
Sites: Information about sites associated with MSO and the fault count of various severity levels. Drill-downs are provided in Site Information, Site Health graph, and panels consisting of fault counts, so users can get a detailed view of the same.
Schemas: Information about schemas configured with MSO. Drill down into No. of Schemas Associated With MSO single pane visualization will show schema details, drill-down on Application Profiles, Bridge Domain, External EPGs, and VRF single pane visualization to get insights about particular health and fault details and drill-down on contracts will show contracts health details.
Tenants: Graphical representation of tenants associated with sites, schemas, and users. Drill down on table showing Tenant Details for a particular site will re-direct to Tenant Details dashboard giving more description about the selected tenant.
Users: Information about MSO users and their roles. More details about user and roles are given by drill down on the Users and Roles panel.
Policy: Information about policies configured in MSO. Drill down on Policy SubType Breakdown panel will show details of specific subtype.
All the MSO dashboards have Audit Logs panel showing Audit Logs of a particular type, for example, schemas dashboard have audit logs only of type schema.
output will be truncated at xxx results due to excessive memory usage...
, user can manually increase the memory limit in limits.confBug Fixes
Version 5.0.0:
Updated setup guide
Version 4.4.0:
Added support of Splunk 8.x
Version 4.3.0:
Added New dashboards for Multi-Site Orchestrator
MSO Overview
Sites
Schemas
Tenants
Users
Policy
Added support for filter out data based on the Multi-Site Orchestrator on all ACI dashboards
Version 4.3.0
Added 3 Dashboards of Cloud APIC
Changed savedsearches - APICFabricLookup, APICCEPLookup
* Bug Fixes
v 4.2.4
- Additional Dashboards for Controller Statistics and ACL Logs on L2 and L3 layer
- Better UI performance
- Additional VLAN information
- Bug fixes
v 4.2.3
-Additional bug fixes
v 4.2.2
- Additional Cloud Support
v 4.2.1
- Additional Dashboards for Controller Statistics and ACL Logs on L2 and L3 layer
- Better UI performance
- Additional VLAN information
- Bug fixes
For App related questions, kindly create a TAC case
https://globalcontacts.cloudapps.cisco.com/contacts/contactDetails/en_US/c1o1-c2o2-c3o8
OR
Contact Us
1 800 553 2447 or
1 408 526 7209
v 4.2.2
- Additional Cloud Support
v 4.2.1
- Additional Dashboards for Controller Statistics and ACL Logs on L2 and L3 layer
- Better UI performance
- Additional VLAN information
- Bug fixes
For App related questions, kindly create a TAC case
https://globalcontacts.cloudapps.cisco.com/contacts/contactDetails/en_US/c1o1-c2o2-c3o8
OR
Contact Us
1 800 553 2447 or
1 408 526 7209
v 4.2.1
- Additional Dashboards for Controller Statistics and ACL Logs on L2 and L3 layer
- Better UI performance
- Additional VLAN information
- Bug fixes
v 4.2.0
- Additional Dashboards for Controller Statistics and ACL Logs on L2 and L3 layer
- Better UI performance
- Additional VLAN information
- Bug fixes
Version 4.1.3 updates (compatible with ACI add-on 4.1.1):
New Fabric Extenders dashboard
APIC Syslog parsing capability - Used in System Faults and Events dashboard
APIC Health and Status monitoring
Minor bugs and fixes
Optimized dashboard/search performance
For Technical Support: contact aci-splunk-app@cisco.com OR create a case with Cisco TAC.
All features existing in the version 4.0
New sample data for eventgen (Cisco ACI Add-on for Splunk Enterprise Version 4.0.1)
Minor bug fixes
Updated Help Desk>'System Faults' dashboard
Updated Fabric>'Authentication' dashboard
Version: 4.0 features
The features developed in this release include: • Support for multiple APIC's • Syslog Integration with ACI • Multi-Pod and Micro-segmentation view • Get to the root cause better and faster • Increased performance of dashboards • New and better User Interface and drill-down capabilities
The features developed in this release include: • Support for multiple APIC's • Syslog Integration with ACI • Multi-Pod and Micro-segmentation view • Get to the root cause better and faster • Increased performance of dashboards • New and better User Interface and drill-down capabilities
The features developed in this release include:
• Support for multiple APIC's
• Threshold setting for KPI's (i.e. no of tenants, end point groups, contracts, filters, bridge domains and l3out networks) • Generate Alters when threshold levels exceed. • Fault tracking with state transition. • Tenant Utilization, Top TCAM and Port Utilization.
The features developed in this release include: • Threshold setting for KPI's (i.e. no of tenants, end point groups, contracts, filters, bridge domains and l3out networks) • Generate Alters when threshold levels exceed. • Fault tracking with state transition. • Tenant Utilization, Top TCAM and Port Utilization. • Updated the Splunk Landing page/home page to display the Number of EPGs, Number of contracts, Number of filters, Number of BDs and Number of L3OutNetworks. Drill down on each component to display tenant-wise details.
The features developed in this release include:
• Threshold setting for KPI's (i.e. no of tenants, end point groups, contracts, filters, bridge domains and l3out networks)
• Generate Alters when threshold levels exceed.
• Fault tracking with state transition.
• Tenant Utilization, Top TCAM and Port Utilization.
• Updated the Splunk Landing page/home page to display the Number of EPGs, Number of contracts, Number of filters, Number of BDs and Number of L3OutNetworks. Drill down on each component to display tenant-wise details.
Release Features
The features developed in this release include:
• Threshold setting for KPI's (i.e. no of tenants, end point groups, contracts, filters, bridge domains and l3out networks)
• Generate Alters when threshold levels exceed.
• Fault tracking with state transition.
• Tenant Utilization.
• TCAM and Port Utilization.
• Updated the Splunk Landing page/home page to display the Number of EPGs, Number of contracts, Number of filters, Number of BDs and Number of L3OutNetworks. Drill down on each component to display tenant-wise details.
Release Features
The features developed in this release include:
• Threshold setting for KPI's (i.e. no of tenants, end point groups, contracts, filters, bridge domains and l3out networks)
• Generate Alters when threshold levels exceed.
• Fault tracking with state transition.
• Tenant Utilization.
• TCAM and Port Utilization.
• Updated the Splunk Landing page/home page to display the Number of EPGs, Number of contracts, Number of filters, Number of BDs and Number of L3OutNetworks. Drill down on each component to display tenant-wise details.
Release Features
The features developed in this release include:
• Threshold setting for KPI's (i.e. no of tenants, end point groups, contracts, filters, bridge domains and l3out networks)
• Generate Alters when threshold levels exceed.
• Fault tracking with state transition.
• Tenant Utilization.
• TCAM and Port Utilization.
• Updated the Splunk Landing page/home page to display the Number of EPGs, Number of contracts, Number of filters, Number of BDs and Number of L3OutNetworks. Drill down on each component to display tenant-wise details.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.