Skip to content

Overview

About the Splunk Add-on for Cisco Meraki
Version 2.2.1
Vendor Products Cisco Meraki API v1.38.0
Visible in Splunk Web Yes. This add-on contains views for configuration.

The Splunk Add-on for Cisco Meraki lets you monitor network and security events in your environment. The the Splunk Add-on for Cisco Meraki can collect the following data via the Cisco Meraki REST APIs: Configuration changes Organization security events Events from devices (such as access points, cameras, switches and security appliances)

The Splunk Add-on for Cisco Meraki provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

Download the Splunk Add-on for Cisco Meraki from Splunkbase.

Hardware and software requirements for the Splunk Add-on for Cisco Meraki

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply to the Splunk software you use to run this add-on.

  • For Splunk Enterprise system requirements, see System Requirements in the Splunk Enterprise Installation Manual.
  • If you plan to run this add-on entirely in Splunk Cloud, there are no additional Splunk platform requirements.
  • If you manage on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Input checkpoints are stored in the KV store, so you must have a KV store. Heavy Forwarders not using databases may not have a functioning KV store so make sure to verify that your configuration is correct if you are using a heavy forwarder.

Ended: Overview

Installation

Install the Splunk Add-on for Cisco Meraki

Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.

Distributed installation of this add-on

This table provides a quick reference for installing this add-on to a distributed deployment of Splunk Enterprise.

Splunk instance type Supported Required Comments
Search Heads Yes Yes Install this add-on to all search heads where Cisco Meraki knowledge management is required.
Indexers Yes No Not required, because the parsing operations occur on the heavy forwarders.
Heavy Forwarders Yes Yes Install this add-on on heavy forwarders to perform data collection via modular inputs.
Universal Forwarders No No Install this add-on on a heavy forwarder for data collection.
Inputs Data Manager Yes No This add-on is supported by Splunk Inputs Data Manager (IDM)
Self Service App Install (SSAI) Conditional No This add-on is supported by Self Service App Install (SSAI). This add-on is not supported by Self Service App Install (SSAI) if an IDM is utilized.

Distributed deployment compatibility

This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature

Supported

Comments

Search Head Clusters

Yes

You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection.

Indexer Clusters

Yes

Deployment Server

No

Supported for deploying unconfigured add-on only.

  • Using a deployment server to deploy the configured add-on to multiple forwarders acting as data collectors causes duplication of data.
  • The add-on uses the credential vault to secure your credentials, and this credential management solution is incompatible with the deployment server.

Installation walkthrough

See “Installing add-ons” in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

Ended: Installation

Configure

Configure credentials for Splunk Add-on for Cisco Meraki

The Cisco Meraki dashboard uses API keys to authenticate API calls.

  1. Enable API key access and generate your API keys. See the Cisco Meraki official documentation here.
  2. Obtain your organization ID.

  3. Copy the command to terminal:

    curl -L --request GET \
--url https://api.meraki.com/api/v1/organizations \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'X-Cisco-Meraki-API-Key: [API Key]'

  4. Replace [API Key] with your API key. Remember to leave a closing apostrophe.

  5. To connect to the China Service, replace meraki.com with meraki.cn.
  6. Run the command.
  7. Copy your organization ID from a list of returned organizations.

NOTE: Refer to the Meraki documentation to use other endpoints.

Make sure to name each of your devices (access point, camera, security appliance or switch) so that you can utilize the extractions that this add-on provides. Devices can also be renamed in a device’s overview page.

Set up the Splunk Add-on for Cisco Meraki

Before you use this task set up the Splunk Add-on for Cisco Meraki, obtain your organization id and API key from Cisco Meraki dashboard.

  1. On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Cisco Meraki.
  2. Click the Configuration tab.
  3. Click the Organization tab.

  4. In the Add Organization dialogue box, fill in the required fields:

    Field Description
    Organization Name The name of your Cisco Meraki organization.
    Service Region Select Global (that is the default) or China if China Service is used.
    Organization ID The organization ID that you obtained from Cisco Meraki.
    Organization API Key The organization API key that you obtained from Cisco Meraki.

  5. If you are using a proxy, check Enable Proxy and fill in the required fields on the Configuration tab. For instructions on configuring this through the CLI, including advanced options, see Configure a proxy using configuration files.

Next, configure your inputs.

(Optional) Change logging level

  1. On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Cisco Meraki.
  2. Click the Configuration tab.
  3. Click the Logging tab.
  4. Select a new logging level from the drop-down menu.
  5. Click Save to save your configurations.

(Optional) Proxy setup

  1. On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Cisco Meraki.
  2. Click the Configuration tab.
  3. Click the Proxy tab.
  4. Check Enable and fill in the required fields.

Note

Only HTTPS proxy are supported.

Configure a proxy using configuration files

You can also configure your proxy using the configuration files. This gives you access to a few advanced options.

  1. Create or edit $SPLUNK_HOME/etc/apps/Splunk_TA_cisco_meraki/local/splunk_ta_cisco_meraki_settings.conf.

  2. Fill in values for your proxy using the following structure: 

    [proxy]
proxy_enabled = 0
proxy_url =
proxy_port =
proxy_username =
proxy_password =

    3. Enable the proxy by setting proxy_enabled to 1.

Configure inputs for the Splunk Add-on for Cisco Meraki

To configure inputs for the Splunk Add-on for Cisco Meraki, complete these steps:

  1. On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Meraki.
  2. Click the Inputs tab.
  3. Click Create new input.

  4. Fill in the required fields:

    Field Description
    Name A name for the new input.
    Organization The Cisco Meraki organization to collect data from.
    Start from Available only for “Audit” input and applicable only for the first time. Indicates the number of days in the past this add-on should get data from. If not set, default is 1.
    Interval How often, in seconds, the Splunk platform calls the API to collect data. Set to 360 seconds or above to avoid rate limiting errors.
    Index The index in which the Splunk platform stores events from Cisco Meraki. The default is main.

    Note

    When you enable the input for the first time, by default the add-on collects historical event data for 24 hours in the past. If you have configured a start time on the setup page (applicable only for “Audit” input) the add-on starts at the configured time.

  5. Once you are satisfied with the configurations, click Enable next to the inputs you want to enable.

Migrate from an existing add-on

If an existing add-on is used to collect data from Cisco Meraki, this add-on can be utilized to collect more data (for example, configuration changes events which are not covered by an existing add-on).

There are no contraindications in running both existing and new add-ons if you want to verify that data is being collected correctly.

Ended: Configure

Troubleshooting

Troubleshoot the Splunk Add-on for Cisco Meraki

General troubleshooting

For helpful troubleshooting tips for all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual. For additional resources, see Support and resource links for add-ons in the Splunk Add-ons manual.

“404 Not Found” in error logs

If you are receiving a 404 Not Found error in the error logs, make sure you’ve entered the correct organization ID or that you have sufficient access rights for that particular organization ID in the Cisco Meraki Dashboard.

Enable API key access and generate your API key by following the steps outlined in the official Cisco Meraki documentation.

Ended: Troubleshooting

Reference

Source types for the Splunk Add-on for Cisco Meraki

The Splunk Add-on for Cisco Meraki provides the index-time and search-time knowledge for Cisco Meraki configuration changes, organization security and events from devices in the following formats.

Source type Description Event Type CIM data models
meraki:audit Organization configuration changes meraki_api_audit Change
meraki:accesspoints Access points events meraki_api_accesspoints_alerts Alerts
meraki_api_accesspoints_authentication Authentication
meraki_api_accesspoints_change Change
meraki:cameras Cameras events meraki_api_cameras Change
meraki:securityappliances Security appliances events meraki_api_securityappliances_alerts Alerts
meraki_api_securityappliances_authentication Authentication
meraki_api_securityappliances_change Change
meraki_api_securityappliances_networksessions Network Sessions
meraki:switches Switches events meraki_api_switches_change Change
meraki:organizationsecurity Organization security events meraki_api_organizationsecurity Malware

Lookups for the Splunk Add-on for Cisco Meraki

The Splunk Add-on for Cisco Meraki contains the following lookups. The lookup files map fields from Cisco Meraki logs to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco_meraki/lookups.

Filename Description
cisco_meraki_accesspoints_action_lookup.csv Maps meraki_event_type to action
cisco_meraki_accesspoints_change_type_object_object_category_result_lookup.csv Maps meraki_event_type to object,object_category,result and change_type
cisco_meraki_accesspoints_object_attrs_lookup.csv Maps meraki_event_type to object_attrs
cisco_meraki_cameras_lookup.csv Maps meraki_event_type to action,object_category,change_type and result
cisco_meraki_organizationsecurity_lookup.csv Maps priority to severity
cisco_meraki_securityappliances_action_lookup.csv Maps meraki_event_type to action
cisco_meraki_securityappliances_change_type_result_lookup.csv Maps meraki_event_type to change_type and result
cisco_meraki_securityappliances_object_object_category_lookup.csv Maps meraki_event_type to object and object_category
cisco_meraki_switches_action_lookup.csv Maps meraki_event_type to action
cisco_meraki_switches_change_type_object_lookup.csv Maps meraki_event_type to change_type and object
cisco_meraki_switches_result_lookup.csv Maps meraki_event_type to result

Ended: Reference

Release Notes

Release notes

Version 2.2.1 of the Splunk Add-on for Cisco Meraki was released on November 13, 2024.
Splunk Enterprise platform versions 9.2.x, 9.3.x
CIM 5.3.2
Platforms Platform independent
Vendor Products Cisco Meraki API v1.38.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Fixed issues

Version 2.2.1 of the Splunk Add-on for Cisco Meraki fixes the following issues.

Known issues

Version 2.2.1 of the Splunk Add-on for Cisco Meraki has the following known issues.

Third-party software attributions

Version 2.2.1 of the Splunk Add-on for Cisco Meraki does not incorporate third-party software or libraries.

Release notes history

The latest version of the Splunk Add-on for Cisco Meraki is version 2.2.1. See the Release notes for more information.

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Cisco Meraki was released on October 01, 2024.
Splunk Enterprise platform versions 9.2.x, 9.3.x
CIM 5.3.2
Platforms Platform independent
Vendor Products Cisco Meraki API v1.38.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

The Splunk Add-on for Cisco Meraki 2.2.0 introduces the following changes:

  • Provided compatibility for IPv6.
  • Provided compatibility with latest CIM version v5.3.2 for all events.
  • Establishment of well-standardized documentation.
  • Introduced TA monitoring dashboard.
  • Upgrade of UCC version.
  • Added validation while creating the Organization.
  • Security fixes.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Cisco Meraki fixes the following issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Cisco Meraki has the following known issues.

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Cisco Meraki does not incorporate third-party software or libraries.

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Cisco Meraki was released on February 20, 2024.
Splunk Enterprise platform versions 9.0, 9.1, 9.2 Splunk Cloud (Classic Stack with IDM and Search Head on Victoria)
CIM 5.0.1
Platforms Platform independent
Vendor Products Cisco Meraki API v1.38.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

This release includes the following changes:

  • Splunk listed on the Cisco Meraki Marketplace.

Fixed issues

Version 2.1.0 of the Splunk Add-on for Cisco Meraki contains the following fixed issues.

Known issues

Version 2.1.0 of the Splunk Add-on for Cisco Meraki the following known issues.

Third-party software attributions

Media:PROJECT_splunk-add-on-for-cisco-meraki_2024-02-12_175230127Z.pdf

Version 2.0.3

Version 2.0.3 of the Splunk Add-on for Cisco Meraki was released on February 6, 2024.
Splunk Enterprise platform versions 9.0, 9.1, 9.2 Splunk Cloud (Classic Stack with IDM and Search Head on Victoria)
CIM 5.0.1
Platforms Platform independent
Vendor Products Cisco Meraki API v1.38.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

This release includes the following changes:

  • Fixed a security vulnerability found in Meraki library by removing a vulnerable package inside the library.

Fixed issues

Version 2.0.3 of the Splunk Add-on for Cisco Meraki contains the following fixed issues.

Known issues

Version 2.0.3 of the Splunk Add-on for Cisco Meraki the following known issues.

Third-party software attributions

Media:PROJECT_splunk-add-on-for-cisco-meraki_2024-02-01_132535161Z.pdf

Version 2.0.2

Version 2.0.2 of the Splunk Add-on for Cisco Meraki was released on January 6, 2024.
Splunk Enterprise platform versions 8.2, 9.0, 9.1 Splunk Cloud (Classic Stack with IDM and Search Head on Victoria)
CIM 5.0.1
Platforms Platform independent
Vendor Products Cisco Meraki API v1.34.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

This release includes the following changes:

  • Updated certifications to 2023.11.17 and urllib3 to 1.26.18.

Fixed issues

Version 2.0.2 of the Splunk Add-on for Cisco Meraki contains the following fixed issues.

Known issues

Version 2.0.2 of the Splunk Add-on for Cisco Meraki the following known issues.

Third-party software attributions

Media:PROJECT_splunk-add-on-for-cisco-meraki_2024-01-02_163210962Z.pdf

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Cisco Meraki was released on March 7, 2023.
Splunk Enterprise platform versions 8.1, 8.2, 9.0 Splunk Cloud (Classic Stack with IDM and Search Head on Victoria)
CIM 5.0.1
Platforms Platform independent
Vendor Products Cisco Meraki API v1.22.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

This release includes the following changes:

  • Fixed a security vulnerability found in the certifi library.

Fixed issues

Version 2.0.1 of the Splunk Add-on for Cisco Meraki contains the following fixed issues.

Known issues

Version 2.0.1 of the Splunk Add-on for Cisco Meraki the following known issues.

Date resolved Issue number Description
2024-02-09 ADDON-68604 Splunk Add-on for Cisco Meraki in version 2.0.1 and below are affected due to Meraki API v0 sunset, and will not work properly.

Workaround:
Please update Splunk Add-on for Cisco Meraki to version 2.0.2 or newer.

Third-party software attributions

Third-Party_library

Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Cisco Meraki was released on August 22, 2022.
Splunk Enterprise platform versions 8.1, 8.2, 9.0 Splunk Cloud (Classic Stack with IDM and Search Head on Victoria)
CIM 5.0.1
Platforms Platform independent
Vendor Products Cisco Meraki API v1.22.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

This release includes the following changes:

  • eventData.ip is mapped to src_ip for dhcp_lease instead of to dest_ip. eventData.server_ip mapped to dest_ip. If content was built on the fields, review and update as needed.
  • Support for the China Service Region has been added to Configuration > Organization

Refer to “Information for Users in China” for more information about the service

  • Air Marshal scan results: An Air Marshal input has been added. The input uses the getNetworkWirelessAirMarshal endpoint to get scan results.

NOTE: Data loaded to Splunk is limited to what is exposed in the endpoint. Particularly, there are no SSIDs categorization as in Dashboard GUI - as Rogue SSIDs, Other SSIDs, Spoofs, etc. This release is compatible with the following software, CIM versions, and platforms.

  • Splunk Add-on for Cisco Meraki field mapping changes:
Source-type meraki_event_type Fields added Fields removed
['meraki:securityappliances'] dhcp_lease src_ip, duration user

Fixed issues

Version 2.0.0 of the Splunk Add-on for Cisco Meraki contains the following fixed issues.

Known issues

Version 2.0.0 of the Splunk Add-on for Cisco Meraki the following known issues.

Third-party software attributions

Media:Meraki_Third-Party_library.pdf

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for Cisco Meraki was released on November 12, 2021. It is compatible with the following software, CIM versions, and platforms.
Splunk Enterprise platform versions 8.0, 8.1, 8.2 Splunk Cloud (Classic Stack with IDM and Search Head on Victoria)
CIM 4.18.1
Platforms Platform independent
Vendor Products Cisco Meraki API v1.12.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Fixed issues

Version 1.1.0 of the Splunk Add-on for Cisco Meraki contains the following fixed issues.

Known issues

Version 1.1.0 of the Splunk Add-on for Cisco Meraki the following known issues.

Third-party software attributions

Media:Meraki_Third-Party_library.pdf

Version 1.0.1

Version 1.0.1 of the Splunk Add-on for Cisco Meraki was released on June 4, 2021. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.0, 8.1, 8.2
CIM 4.18.1
Platforms Platform independent
Vendor Products Cisco Meraki API v1.7.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Fixed issues

Version 1.0.1 of the Splunk Add-on for Cisco Meraki contains the following fixed issues.

Known issues

Version 1.0.1 of the Splunk Add-on for Cisco Meraki contains the following known issues.

Third-party software attributions

Version 1.0.1 of the Splunk Add-on for Cisco Meraki incorporates the following third-party software or libraries.

Library License
meraki 1.7.2 https://github.com/meraki/dashboard-api-python/blob/master/LICENSE
PySocks 1.7.1 https://github.com/Anorov/PySocks/blob/master/LICENSE
aiohttp 3.7.4.post0 https://github.com/aio-libs/aiohttp/blob/master/LICENSE.txt
async_timeout 3.0.1 https://github.com/aio-libs/async-timeout/blob/master/LICENSE
certifi 2020.12.5 https://github.com/certifi/python-certifi/blob/master/LICENSE https://www.mozilla.org/en-US/MPL/2.0/ meraki
chardet 4.0.0 https://github.com/chardet/chardet/blob/master/LICENSE
future 0.18.2 https://github.com/PythonCharmers/python-future/blob/master/LICENSE.txt
httplib2 0.19.0 https://github.com/httplib2/httplib2
http://opensource.org/licenses/MIT https://github.com/httplib2/httplib2/blob/master/LICENSE
idna 3.1 https://github.com/kjd/idna/blob/master/LICENSE.md
multidict 5.1.0 https://github.com/aio-libs/multidict/blob/master/LICENSE
requests 2.25.1 https://github.com/psf/requests/blob/master/LICENSE
schematics 2.1.0 https://github.com/schematics/schematics/blob/master/LICENSE
sortedcontainers 2.3.0 https://github.com/grantjenks/python-sortedcontainers/blob/master/LICENSE
urllib3 1.26.4 https://github.com/urllib3/urllib3/blob/main/LICENSE.txt
yarl 1.6.3 https://github.com/aio-libs/yarl/blob/master/LICENSE
addonfactory-ucc-generator 4.4.0 https://github.com/splunk/addonfactory-ucc-generator/blob/main/LICENSES/Apache-2.0.txt

Ended: Release Notes