Cisco Catalyst Add-on for Splunk
OVERVIEW
Cisco Catalyst Add-on for Splunk collects data for different Cisco Products - Cisco Identity Services Engine, Cisco SD-WAN, Cisco DNA Center, and Cisco Cyber Vision. The add-on parses the data from these sources and stores them into the Splunk indexes.
- Author - Cisco Systems
- Version - 2.0.0
- Build - 1
- Prerequisites - This application is dependent on Splunk Add-on for Stream Forwarders, Splunk App for Stream and Cisco Catalyst Enhanced Netflow Add-on for Splunk to collect Netflow Data.
COMPATIBILITY MATRIX
- Browser: Google Chrome, Mozilla Firefox & Safari
- OS: Linux, macOS, Windows
- Splunk Enterprise Version: Splunk 9.1.x, Splunk 9.2.x, Splunk 9.3.x, Splunk 9.4.x
- Supported Splunk Deployment: Standalone, Distributed & Cluster
- Splunk Add-on for Stream Forwarders (Third Party Dependency): 8.1.0 & 8.0.2
- Splunk App for Stream (Third Party Dependency): 8.1.0 & 8.0.2
- Cisco Catalyst Enhanced Netflow Add-on for Splunk (Third Party Dependency): 1.0.0
RECOMMENDED SYSTEM CONFIGURATION
TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT
1) Standalone Mode
- Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on a single machine. This single machine would serve as a Search Head + Indexer + Heavy Forwarder for this setup.
- The "Cisco Enterprise Networking for Splunk Platform" uses the data parsed by the "Cisco Catalyst Add-on for Splunk" and builds dashboards on it.
2) Distributed Environment
- Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on the search head.
- Install only "Cisco Catalyst Add-on for Splunk" on the heavy forwarder.
- User needs to manually create an index on the Indexer (No need to install "Cisco Enterprise Networking for Splunk Platform" on Indexer).
- Note: Installation of "Cisco Catalyst Add-on for Splunk" on Indexer is required in case of universal forwarder.
RELEASE NOTES
Version 2.0.0
- Introduced a new, user-friendly custom interface for the Application Setup of the Add-On.
- Added Client and Audit Logs inputs for DNA Center.
- Added support for configuring Syslog inputs directly from the Add-on UI.
- Added support for data collection for the following Cisco SD-WAN types:
- Unified Threat Defence/Link Details
- Unified Threat Defense Health
- Link Health
- Site/Tunnel Health
- Site Health
- Tunnel Health
- SSE Tunnels
- Added support for data collection for the following Cisco Identity Services Engine (ISE) types:
- Security Group Tags
- Authz Policy Hit
- ISE TACACS Rule Hit
- IP-SGT Bindings
Version 1.1.2
- Removed timestamp parameters from client-health and network-health endpoints for Cisco DNA Center.
- Enhanced device-health endpoint to include data for the last 15 minutes for Cisco DNA Center.
Version 1.1.1
- Fixed indextime extractions for Cisco DNA Center.
Version 1.1.0
- Added support for the data collection of Cisco Cyber Vision.
Version 1.0.0
- The Add-On supports the data collection for the following products:
- Cisco Identity Services Engine
- Cisco SD-WAN
- Cisco DNA Center
- Added support for the additional log sources for Cisco SD-WAN:
Lookups
- cisco_ise_message_catalog_420.csv: Maps
MESSAGE_CODE
to MESSAGE_CLASS
, MESSAGE_TEXT
- cisco_ise_service.csv: Maps
MESSAGE_CODE
to SERVICE
- cisco_ise_change_message_code_420.csv: Maps
MESSAGE_CODE
to change_type
, command
, object
, object_attrs
, object_category
, result
- cisco_ise_message_catalog_2024.csv: Maps
MESSAGE_CODE
to MESSAGE_CLASS
, MESSAGE_TEXT
, dataset_name
, action
, type
- cisco_cybervision_asset_site_system_mappings: Maps
host
with asset_system
and site_id
- cisco_cybervision_severity_lookup: Maps
severity_id
with severity
- ta_cisco_catalyst_security_group_tag_mapping: Maps
ise_host
with ise_server
, security_group_tag
and security_group_name
UNINSTALL & CLEANUP STEPS
- Remove $SPLUNK_HOME/etc/apps/TA_cisco_catalyst
- To reflect the cleanup changes in UI, Restart the Splunk Enterprise instance
BINARY FILE DECLARATION
- md.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.
- md__mypyc.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.
SUPPORT
Copyright (c) 2025 Cisco Systems, Inc. All rights reserved.