cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Merakifying Splunk

3553
Views
5
Helpful
1
Comments
Cisco Employee

Splunk is a great multifunction platform but it needs to be fed data. Without it, Splunk is a server that just burns electrons and generates heat. A few short years ago, the problem we faced was how do we generate the data. Now, taking advantage of the many Cisco Meraki APIs, we are shifting to a world where we must ask ourselves: what do we do with all this data? Hence, the Merafication of Splunk has arrived.

Let's explore a couple of options on how we Merakify Splunk:

Syslog:

You can easily send Splunk syslog information from Cisco Meraki devices. All you have to do is ensure the network devices can reach your Splunk server.

Dashboard setup:

  1. Go to Network-wide -> General.
  2. Under the Reporting section, click on “Add a syslog server.”
  3. Input the IPv4 address and destination port.
  4. You have the option to specify which type of syslog messages to send to the server.

syslog.jpg

Syslog server setup options.

Splunk recommendations:

  • To help distinguish your Meraki syslog data later, you can set up a separate index for it under Settings->Indexes. This is highly recommended especially when pulling in data from multiple sources.
  • Using the default Search & Reporting app that comes on Splunk Enterprise, simply search for a parameter in the desired timeframe.

For example, using the ‘meraki’ index, we want to see all IPv6 traffic on the network that starts with 2001:

index=meraki src=2001*

splunk syslog ipv6.jpg

Sample syslog output from a combined network.

CMX Analytics:

CMX can be viewed as the ability to take data generation to the next level by providing real-time engagement services [1]. The CMX API, JSON-based [2], allows the network to be used as a tool for the trade to go beyond simply providing Internet access. It can now be used as a marketing, revenue-generating machine.

Dashboard setup:

  1. Go to Network-wide -> General.
  2. Scroll down to the CMX section and enable the CMX API.
  3. Add the POST URL to the server you will be sending the data to.
    • IP addresses and hostnames are both acceptable formats.
    • Multiple servers can be setup from the same network.

NOTE: The data is sent from dashboard to the Splunk server. Make sure it is reachable over the specified POST URL.

cmx setup.jpg

CMX setup options to different destinations.

Splunk recommendations:

  • Install the Cisco Meraki Presence Modular Input - https://splunkbase.splunk.com/app/1711/
  • To help distinguish your Meraki syslog data later, you can set up a separate index for it under Settings->Indexes. This is highly recommended especially when pulling in data from multiple sources.

For example, using the ‘cmx’ index, we want to see all real-time analytics as they are coming in:

index=cmx

splunk cmx ipv6.jpg

Example CMX data of a dual-stack client device.

Splunk has many handy tools and algorithms that allow the data to be manipulated and presented and many ways. You can get creative by generating dashboards like the one below:

splunk dashboard.jpg

Retail customer example of foot traffic.

JSON has become the popular form-factor to request and deliver data because it is modular and flexible. After that, it is up to us and our imaginations to figure out how to display the data and make the best use of it. We would love to see how creative you can be. Reachout and get showcased on http://developers.meraki.com.

References:

[1] https://documentation.meraki.com/MR/Monitoring_and_Reporting/CMX_Analytics

[2] http://www.json.org/

COME SEE US AT CISCO LIVE LAS VEGAS

“Real-Time Retail Analytics with Splunk and Meraki” - presented by Colin Lowenberg and Wissam Ali-Ahmad (from Splunk)

Thursday, July 14, 2:00 p.m.

FYI, the title online is: Mobile Presence and Operational Analytics with Splunk and Meraki

http://www.ciscolive.com/us/learn/sessions/session-catalog/?search=DEVNET-2051

Session ID: DEVNET-2051

1 Comment
Contributor

jhandal11, thanks for posting this. I will take a look at what's possible!

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.