Skip to content

Use the Troubleshooting dashboard

In version 1.7.0 and later, the Splunk Add-on for Cisco ESA provides a troubleshooting dashboard that lets you quickly spot possible issues and monitor the ingestion of events. This dashboard lets you view the message analytics data for the Splunk Add-on for Cisco ESA. To use this dashboard:

  1. Navigate to the “Dashboards” tab.
  2. Find the “Cisco ESA TA Troubleshooting Dashboard”.
  3. Select the time range with the label “Time for logs” in the top left corner.
  4. View different analytics and panels related to the add-on’s logs.

The following panels provide comprehensive visibility into data ingestion of the Splunk Add-on for Cisco ESA Troubleshooting Dashboard, which empowers you to effectively monitor your Splunk environment.

  • Add-on version: Identifies the add-on version.
  • Number of events: Shows you the total number of events ingested.
  • Event count time chart: Identifies the number of events ingested between time intervals.
  • Distributions of events by index: Pie chart that shows the distribution of events that are ingested among various indexes.
  • Total number of events: Table that shows the exact count of events that are ingested in various indexes.
  • Events ingested by sources: Pie chart shows event distribution from various sources over a specific time range.
  • Events ingested by source types: This pie chart that shows event distribution from various source types over a specific time range.
  • CIM-supported events: Shows the count of events that are mapped with relevant data models. To view this information you must also have Splunk CIM https://splunkbase.splunk.com/app/1621 installed.

Monitor the Cisco ESA Event Count Time-based chart

The Event Count time-based panel provides a time-series graph of the Cisco ESA events ingested in Splunk. This panel lets you determine when Cisco ESA events are ingested in their Splunk environment. The time-series graph is populated based on the _time of the event. Once you set the time range, you can identify the event count ingestion and monitor the event flow.

Configure the “Index” for the Cisco ESA Dashboard

To determine the index from which a saved search should collect information, the add-on uses the Cisco_ESA_Index macro. The macro is set to (“default”,”email”). Where Cisco ESA syslog data is collected in different indexes, you can update the macro by specifying the index used to collect syslog data.

To configure the search index:

  1. Go to Menu > Settings > Advanced Search.
  2. Click Search macros.
  3. Search Cisco_ESA_Index and click on Cisco_ESA_Index in the Name column.
  4. In the Definition field, replace (“default”,”email”) with the required list of indexes.
  5. Click Save.