cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1959
Views
2
Helpful
1
Replies

Support for 'CiscoSplunkConnector' ACI app?

smp
Level 4
Level 4

I have been unable to successfully configure the CiscoSplunkConnector ACI app to connect to our Splunk deployment. There is zero documentation, and the Developer Contact (devarsha@cisco.com) has not responded to an email. How can I get my hands on some configuration documentation, or get in touch with someone who supports this app for some assistance?

1 Reply 1

smp
Level 4
Level 4

I was contacted by the developer who graciously agreed to review my configuration. In the course of that discussion, I learned a number of things about how this application works and how things need to be configured. The Splunk ACI app is actually a full-blown installation of Splunk on the APIC in a heavy forwarder configuration. So in order for this to work, you must configure a Receiver port on your Indexer/Receiver to consume this data from the APIC. At this time, the Splunk ACI app will only forwards data unencrypted over TCP, so you must configure your Receiver port accordingly.

The Splunk ACI app gathers data by making REST calls to the APIC. At this time, these REST calls only support HTTP (not HTTPS), so you must configure your APIC Management Policy to allow management access over HTTP. This policy was found in Fabric > Fabric Policies > Pod Policies > Policies > Management Access > Default. The developers do have a way to reconfigure the Splunk ACI app to work over HTTPS, but it was only something the developer is able to do - I would not have the access to hack this myself as an end user. They plan to provide this as an option in a future Splunk ACI app release.

One final item...When you look on the Splunk web site, you will find 'Cisco ACI App for Splunk Enterprise' and 'Cisco ACI Add-on for Splunk Enterprise'. In order to see the data from the Splunk ACI app, all you need is to create an index on your indexer named 'apic' and install the 'Cisco ACI App for Splunk Enterprise' on your Search Head. But there is an alternative. You could also install and configure the 'Cisco ACI Add-on for Splunk Enterprise' on your indexer instead of installing the Splunk ACI app on your APIC. The Splunk Add-on will gather exactly the same data.

Having said all of that, here is my understanding of how to configure the Splunk ACI app:

Splunk Appliance IP Address - this is the address of your Indexer/Receiver

Username/Password: This is the credentials the Forwarder (Splunk ACI app) will use to register with the Receiver.

Active Port Number: This is the receiver port on your Receiver/Indexer

I was assured by the developers that the configuration screen will be improved for clarity in upcoming releases. They were very happy to hear my feedback and were excellent to work with. Thanks very much!