Skip to main content

 

Cisco Meraki Documentation

Cisco Meraki Add-on for Splunk

  1. Last updated
  2. Save as PDF
Component Details
Version 3.3.0
Vendor Products Cisco Meraki API v1.53.0
Visible in Splunk Web Yes. This add-on contains views for configuration.

 

Download the Cisco Meraki Add-on for Splunk from Splunkbase.

Overview

The Cisco Meraki Add-on for Splunk lets you monitor Cisco Meraki networks and devices across one or multiple organizations.

The add-on collects data via the Cisco Meraki REST APIs and network alerts via webhooks, providing CIM-compatible knowledge for use with other Splunk apps such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

With this add-on you can:

  • Multi-organization analytics: Gain unified visibility across multiple Meraki organizations
  • Extended historical analysis: Enable long-term trending and capacity planning
  • Security and compliance: Centralize monitoring and configuration tracking
  • Cross-platform correlation: Correlate Meraki telemetry with other Cisco and third-party products
  • Automation and reporting: Automate custom alerts, reports, and workflows

Architecture

  • REST API inputs: Scheduled collection of configuration and telemetry from the Meraki Dashboard API
  • Webhooks: Near real-time alerts from the Meraki Dashboard delivered to Splunk via HTTP Event Collector (HEC)
  • Knowledge objects: Sourcetypes, field extractions, and macros optimized for Meraki data

 

Splunk example dashboard of Meraki API metrics

Installation

Quick Start

  1. Install the Cisco Meraki Add-on for Splunk from Splunkbase
  2. In the add-on Configuration ▸ Organization, configure Meraki credentials:
    • API key (all regions), or
    • OAuth (US commercial orgs only)
    • KV Store: Ensure KV Store is enabled in Splunk (required for configuration/state)
  3. Configure Splunk HEC (required for webhooks):
    • Enable HEC and note the HEC port (default 8088)
    • Create an HEC token with sourcetype meraki:webhook
  4. Create webhook receivers from the TA inputs menu
  5. Start collecting Meraki API data by enabling inputs
  6. Verify: search sourcetype="meraki:*"

Splunk Platform Requirements

  • Splunk Enterprise or Splunk Cloud: Platform versions 10.2, 10.1, 10.0, 9.4, 9.3, or 9.2
  • CIM: Tested with Common Information Model (CIM) versions 4.x, 5.x, and 6.x
  • OS / browser: Platform independent
  • Python: Python 3
  • KV Store: Must be enabled on search heads and heavy forwarders

Deployment Options

  • Search Heads: Required for knowledge objects and configuration UI
  • Indexers: Optional; install if parsing on indexers or for consistency
  • Heavy Forwarders / IDM: Required for Meraki API data collection
  • Universal Forwarders: Not supported for this add-on

For distributed deployments, install the add-on on:

  • Search heads (for knowledge and configuration)
  • Heavy forwarders or IDM (for inputs and API calls)
  • Optionally on indexers (for sourcetypes and props)

Configure

Meraki Credentials

The add-on supports two authentication methods to the Meraki Dashboard API:

  • API key authentication (all regions)
  • OAuth 2.0 scoped access (US commercial organizations only)

API Key

  1. In the Meraki Dashboard, navigate to Organization ▸ API & Webhooks
  2. Generate an API key (or reuse an existing key with appropriate read permissions)
  3. Store the key securely; it is shown only once
  4. Ensure API access is enabled for the organization

Organization ID

You will need your Meraki organization ID for configuration.

From the Dashboard footer: The organization ID appears in the footer when viewing an organization.

From the API:

  • Open https://api.meraki.com/api/v1/organizations in a browser while logged in, or
  • Use cURL:
curl -L --request GET \
  --url https://api.meraki.com/api/v1/organizations \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <API_KEY>'

Device Configuration

For clearer dashboards and searches:

  • Name devices (access points, cameras, security appliances, switches, sensors) consistently in the Meraki Dashboard
  • Use naming conventions that include location, role, and site as needed

Setup the Add-on

  1. On Splunk Web, go to the Cisco Meraki Add-on for Splunk
  2. Click the Configuration tab
  3. Click the Organization tab

  4. In the Add Organization dialogue box, fill in the required fields:

    Field Description
    Organization Name The name of your Cisco Meraki organization
    Service Region Select the appropriate region:
    • Global (default, uses api.meraki.com)
    • India (uses api.meraki.in)
    • Canada (uses api.meraki.ca)
    • China (uses api.meraki.cn)
    • FedRAMP (US Government, uses api.gov-meraki.com)
    • Other (allows custom base URL for proxies or non-standard endpoints)
    Base URL The API base URL (auto-populated based on region, or enter a custom https:// URL when using Other)
    Organization ID The organization ID you obtained from Cisco Meraki
    Organization API Key The organization API key you obtained from Cisco Meraki (or use OAuth)
  5. If using a proxy, check Enable Proxy and fill in the required fields

Note: The add-on supports multiple Meraki regions including Global (default), India, Canada, China, FedRAMP (US Government), and Other for custom proxy or non-standard endpoint configurations.

(Optional) Change logging level

  1. Go to the Configuration tab
  2. Click the Logging tab
  3. Select a new logging level from the drop-down menu
  4. Click Save

(Optional) Proxy setup

  1. Go to the Configuration tab
  2. Click the Proxy tab
  3. Check Enable and fill in the required fields

Only HTTPS proxies are supported.

Configure a proxy using configuration files

You can also configure your proxy using the configuration files:

  1. Create or edit $SPLUNK_HOME/etc/apps/Splunk_TA_cisco_meraki/local/splunk_ta_cisco_meraki_settings.conf

  2. Fill in values for your proxy:

    [proxy]
proxy_enabled = 1
proxy_url = <proxy-host>
proxy_port = <proxy-port>
proxy_username = <username>
proxy_password = <password>

Restart the Splunk instance hosting the inputs after changes.

Configuring OAuth

Availability: OAuth for the Meraki Dashboard API is currently supported only for US commercial organizations. Other regions must continue to use an API key.

OAuth 2.0 uses scoped tokens so the add-on can access only the Meraki data you enable (instead of using a long-lived API key).

For full background, see Meraki's OAuth overview: https://developer.cisco.com/meraki/api-v1/oauth-overview/.

What You Need

  • A Meraki OAuth application registered at https://integrate.cisco.com
  • The application Client ID and Client secret
  • The OAuth scopes required for the inputs you plan to enable (see the OAuth Scopes column in the Inputs and API reference table)
  • The redirect URI (shown by the add-on in Configuration ▸ Organization when you select OAuth)

Steps to Configure OAuth

  1. Register the integration at https://integrate.cisco.com and select the required scopes
  2. In Configuration ▸ Organization for your Splunk organization record:
    • Choose OAuth
    • Enter the Client ID and Client secret
  3. Use the add-on's Connect/Authorize action to complete the admin grant

Once configured, new and existing inputs for that organization will use OAuth tokens instead of the API key.

Note: Ensure the OAuth Web App has been granted all necessary scopes before configuring inputs. If an input requires a scope not granted, the input will receive 403 Forbidden errors.

Configure Inputs

Inputs define which Meraki API endpoints and telemetry streams are collected.

Manage Inputs

  1. In Splunk Web, open Cisco Meraki Add-on for Splunk ▸ Inputs
  2. Click Create New Input
  3. Select the desired input type
  4. Fill required fields:
    • Name: A unique, descriptive input name
    • Organization: Select the configured organization
    • Interval: Polling interval in seconds
    • Start From (if applicable): Begin polling from N days in the past
    • Top Count (if applicable): Number of top records to retrieve
    • Index: Target index for the data
  5. Click Save

To manage existing inputs:

  • Disable / enable: Toggle the status in Inputs
  • Edit: Use Action ▸ Edit to change schedule, index, or organization
  • Clone / delete: Use Action ▸ Clone/Delete as needed

Migrating from Version 2.x

Pre-upgrade Steps

  1. Back up your existing configuration
  2. Document all configured inputs and organizations
  3. Note any custom macros or field extractions

Post-upgrade Configuration

  1. Reconfigure organizations in the new Organization page
  2. Re-create inputs using the new input creation workflow
  3. Update macros to reflect new index configurations if needed
  4. Test webhook configurations

Verification Steps

  1. Verify data is being collected: index=* sourcetype="meraki:*" | stats count by sourcetype
  2. Check add-on logs: index="_internal" source="*splunk_ta_cisco_meraki*.log*"
  3. Confirm webhooks are working: index=* sourcetype="meraki:webhook"

Webhook Alerts

Webhook alerts deliver real-time events from the Meraki Dashboard into Splunk.

Splunk Configuration

Generate a HEC token

  1. In Splunk Web, go to Settings ▸ Data Inputs ▸ HTTP Event Collector
  2. Ensure HEC is enabled and note the HTTP port (default 8088)
  3. Create a new token:
    • Name: For example, Meraki Webhook
    • Sourcetype: meraki:webhook
    • Index: Target index for webhook data
  4. Save and copy the token value

Meraki Configuration

Starting with v3.2, you configure the receiver from the TA inputs menu. The TA creates the Meraki webhook receiver and payload template automatically.

  1. In Splunk Web, go to Inputs ▸ Create New Input
  2. Select Webhook Logs (HEC)
  3. Provide:
    • Organization: the org configured in the add-on
    • Network: the target network for the receiver
    • Webhook Name: the receiver identity to use in Meraki alert recipients
    • HEC token: the HEC token value you copied above
    • HEC URL base: https://<splunk-host>:<hec-port>
  4. Click Save

Test Webhook

On Meraki Platform

Use the Meraki Dashboard webhook test feature to send a test alert.

On Splunk Platform

Search for webhook events:

index=<WEBHOOK_INDEX> sourcetype="meraki:webhook"

Assigning Alerts

After the receiver exists, assign it as an alert recipient in Meraki:

  1. In the Meraki Dashboard, go to Network‑Wide ▸ Alerts
  2. Add the Webhook Name you entered in the Splunk input
  3. Enable the alert types you want to receive

Reference

Macros

Macros are reusable expressions that simplify and streamline searches by encapsulating common logic or calculations.

Configuring Macros

You can modify macros in Splunk by following these steps:

  1. Navigate to Settings > Advanced Search > Search macros

    Macro navigation screenshot 1
    Macro navigation screenshot 2

  2. Once the macros page opens:

    • Go to the apps dropdown
    • Select "Cisco Meraki Add-on for Splunk"
    • This shows the list of macros created for Cisco Meraki
    Macro selection screenshot

  3. To edit a macro:

    • Click on the name of the macro to open the editing window
    • If you have a separate index for your data collection, you can update the macro definition to add support for that index
    • By default the supported index is main
    • To add more indexes, add a comma(,) and the index name you want to add

Example:

index IN( main , test_index )

Macro editing screenshot

Sourcetypes

The Cisco Meraki Add-on for Splunk provides search-time knowledge for Meraki data in the following formats. For the complete list of all 50+ sourcetypes, please refer to the Inputs and API reference table below.

Input Patterns

The inputs have common configuration patterns as described below:

Pattern 1

Time series, historical APIs

Parameters Type Description
Name Textbox Name of the input
Organization Dropdown Select Organization configured from the Organizations Page
Interval Textbox Time interval for input in seconds
Start From Textbox Start getting data from given past days
Index Textbox Name of index in which you want to ingest data

Input Pattern 1 screenshot

Pattern 2

Current state / inventory APIs

Parameters Type Description
Name Textbox Name of the input
Organization Dropdown Select Organization configured from the Organizations Page
Interval Textbox Time interval for input in seconds
Index Textbox Name of index in which you want to ingest data

Input Pattern 2 screenshot

Pattern 3

Top‑N summary APIs

Parameters Type Description
Name Textbox Name of the input
Organization Dropdown Select Organization configured from the Organizations Page
Interval Textbox Time interval for input in seconds
Start From Textbox Start getting data from given past days
Top Count Textbox Number of top records to retrieve
Index Textbox Name of index in which you want to ingest data

Input Pattern 3 screenshot

Inputs and API reference

This table lists the available inputs, their sourcetypes, Meraki API operations, associated OAuth scopes, and documentation links. Use it to plan which data to ingest and which OAuth scopes to grant.

Note: For webhook provisioning (v3.2+), you typically only create/configure the Webhook Logs (HEC) input; other webhook-related operations in the table are internal helper operations the TA uses when provisioning the Meraki receiver.

Input Description Sourcetype Default Interval Group API Operation TA Version OAuth Scopes
Access Points Wireless access point events meraki:accesspoints daily Wireless getNetworkEvents 2 dashboard:general:telemetry:read
Air Marshal Air Marshal wireless network security data meraki:airmarshal daily Wireless getNetworkWirelessAirMarshal 2 wireless:config:read
Audit Organization configuration changes meraki:audit daily Organization getOrganizationConfigurationChanges 2 dashboard:general:config:read
Cameras Camera events meraki:cameras daily Camera getNetworkEvents 2 dashboard:general:telemetry:read
Organization Networks List of organization networks meraki:organizationsnetworks daily Organization getOrganizationNetworks 2 dashboard:general:config:read
Organization Security Organization security events meraki:organizationsecurity 6 minutes Organization getOrganizationSecurityEvents 2 dashboard:general:telemetry:read
Organizations List of organizations meraki:organizations daily Organization getOrganizations 2 N/A
Security Appliances Security appliances events meraki:securityappliances 6 minutes Appliance getNetworkEvents 2 dashboard:general:telemetry:read
Switches Switch events meraki:switches daily Switch getNetworkEvents 2 dashboard:general:telemetry:read
API Requests History List the API requests made by an organization meraki:apirequestshistory daily API getOrganizationApiRequests 3 dashboard:general:telemetry:read
API Requests Overview Return an aggregated overview of API requests data for an organization meraki:apirequestsoverview daily API getOrganizationApiRequestsOverview 3 dashboard:general:telemetry:read
API Requests Response Codes Track an organization's API requests by response code over a specified time period meraki:apirequestsresponsecodes daily API getOrganizationApiRequestsOverviewResponseCodesByInterval 3 dashboard:general:telemetry:read
Appliance VPN Stats Provide statistics on SD-WAN appliances in an organization meraki:appliancesdwanstatistics daily Appliance getOrganizationApplianceVpnStats 3 sdwan:telemetry:read
Appliance VPN Statuses Return the statuses of SD-WAN appliances in an organization meraki:appliancesdwanstatuses daily Appliance getOrganizationApplianceVpnStatuses 3 sdwan:telemetry:read
Assurance Alerts Return all health alerts for an organization meraki:assurancealerts 1 hour Assurance getOrganizationAssuranceAlerts 3 dashboard:general:telemetry:read
Device Availabilities Change History List the availability history information for devices in an organization meraki:devicesavailabilitieschangehistory 1 hour Platform / Devices getOrganizationDevicesAvailabilitiesChangeHistory 3 dashboard:general:telemetry:read
Device Uplink Addresses by Device List the current uplink addresses for devices in an organization meraki:devicesuplinksaddressesbydevice daily Platform / Devices getOrganizationDevicesUplinksAddressesByDevice 3 dashboard:general:telemetry:read
Firmware Upgrades Return the firmware upgrade history for devices within an organization meraki:firmwareupgrades daily Organization getOrganizationFirmwareUpgrades 3 dashboard:general:config:read
Licenses Coterm Licenses Retrieve details of co-term licenses for an organization meraki:licensescotermlicenses daily Licensing getOrganizationLicensingCotermLicenses 3 dashboard:licensing:config:read
Licenses Overview Return an overview of licensing details for an organization meraki:licensesoverview daily Licensing getOrganizationLicensesOverview 3 dashboard:licensing:config:read
Licenses Subscription Entitlements List subscription entitlements managed by the organization meraki:licensessubscriptionentitlements daily Licensing getAdministeredLicensingSubscriptionEntitlements 3 dashboard:licensing:config:read
Licenses Subscriptions Provide subscription information managed by the organization meraki:licensessubscriptions daily Licensing getAdministeredLicensingSubscriptionSubscriptions 3 dashboard:licensing:config:read
Sensor Readings History Return all reported readings from sensors in a given timespan sorted by timestamp meraki:sensorreadingshistory daily Sensor getOrganizationSensorReadingsHistory 3 sensor:telemetry:read
Summary Appliances Top by Utilization Return the top 10 appliances sorted by utilization over a given time range meraki:summarytopappliancesbyutilization daily Summary getOrganizationSummaryTopAppliancesByUtilization 3 sdwan:telemetry:read
Summary Top Clients by Usage Return metrics for organization's top 10 clients by data usage (in mb) over a given time range meraki:summarytopclientsbyusage daily Summary getOrganizationSummaryTopClientsByUsage 3 dashboard:general:telemetry:read
Summary Top Devices by Usage Return metrics for organization's top 10 devices sorted by data usage over a given time range meraki:summarytopdevicesbyusage daily Summary getOrganizationSummaryTopDevicesByUsage 3 dashboard:general:telemetry:read
Summary Top Switches by Energy Usage Return metrics for the organization's top 10 switches by energy usage over a specified time range meraki:summarytopswitchesbyenergyusage daily Summary getOrganizationSummaryTopSwitchesByEnergyUsage 3 switch:telemetry:read
Switch Ports Overview Return counts of all active switch ports for a specified time span grouped by speed meraki:switchportsoverview daily Switch getOrganizationSwitchPortsOverview 3 switch:telemetry:read
Wireless Devices Ethernet Statuses List the most recent Ethernet link speed duplex aggregation and power mode and status information for wireless devices meraki:wirelessdevicesethernetstatuses daily Wireless getOrganizationWirelessDevicesEthernetStatuses 3 wireless:telemetry:read
Wireless Packet Loss by Device Get average packet loss for the given timespan for all networks in the organization meraki:wirelessdevicespacketlossbydevice daily Wireless getOrganizationWirelessDevicesPacketLossByDevice 3 wireless:telemetry:read
Devices List the devices in an organization including metadata and tags meraki:devices daily Platform / Devices getOrganizationDevices 3.2 dashboard:general:config:read
HEC Token Management Retrieve and manage Splunk HTTP Event Collector tokens for webhook configuration N/A N/A (configuration) Webhooks Splunk HEC API 3.2 N/A
Network ID Lookup Helper endpoint to retrieve network IDs for webhook configuration N/A N/A (configuration) Configuration getOrganizationNetworks 3.2 dashboard:general:config:read
Power Modules Statuses by Device Get power status information for devices in an organization meraki:powermodulesstatusesbydevice 1 hour Platform / Devices getOrganizationDevicesPowerModulesStatusesByDevice 3.2 dashboard:general:telemetry:read
Switch Ports by Switch List the ports for the requested switches meraki:switchportsbyswitch daily Switch getOrganizationSwitchPortsBySwitch 3.2 switch:config:read
Switch Ports Transceivers Readings History by Switch Return transceiver reading history for switches in the organization meraki:portstransceiversreadingshistorybyswitch daily Switch getOrganizationSwitchPortsTransceiversReadingsHistoryBySwitch 3.2 switch:telemetry:read
Switch Power History Get power consumption history for switches in the organization meraki:summaryswitchpowerhistory daily Switch getOrganizationSummarySwitchPowerHistory 3.2 switch:telemetry:read
Webhook Receive real-time webhook alerts from Meraki Dashboard meraki:webhook N/A (receiver) Webhooks Webhook Receiver Endpoint 3.2 N/A
Webhook HTTP Server - Create Create HTTP server for webhook receiver in Meraki Dashboard N/A N/A (configuration) Webhooks createOrganizationWebhooksHttpServer 3.2 N/A
Webhook HTTP Server - Delete Delete HTTP server for webhook receiver in Meraki Dashboard N/A N/A (configuration) Webhooks deleteOrganizationWebhooksHttpServer 3.2 N/A
Webhook Logs Returns the log of webhook POSTs sent meraki:webhooklogs:api 1 hour Webhooks getOrganizationWebhooksLogs 3.2 dashboard:general:telemetry:read
Webhook Payload Template - Create Create custom payload template for webhooks N/A N/A (configuration) Webhooks createOrganizationWebhooksPayloadTemplate 3.2 dashboard:general:telemetry:write
Webhook Payload Template - Delete Delete custom payload template for webhooks N/A N/A (configuration) Webhooks deleteOrganizationWebhooksPayloadTemplate 3.2 dashboard:general:telemetry:write
Webhook Payload Template - List List custom payload templates for webhooks N/A N/A (configuration) Webhooks getOrganizationWebhooksPayloadTemplates 3.2 dashboard:general:telemetry:read
Webhook Testing Test webhook connection to validate configuration N/A N/A (configuration) Webhooks createOrganizationWebhooksWebhookTest 3.2 N/A
Wireless Controller Availabilities Change History Return availability history for wireless controllers in the organization meraki:wirelesscontrolleravailabilitieschangehistory daily Wireless Controller getOrganizationWirelessControllerAvailabilitiesChangeHistory 3.2 wireless:telemetry:read
Wireless Controller Devices Interfaces Packets Overview by Device Return packet overview history for wireless controller devices' interfaces meraki:wirelesscontrollerdevicesinterfacespacketsoverviewbydevice daily Wireless Controller getOrganizationWirelessControllerDevicesInterfacesPacketsOverviewByDevice 3.2 wireless:telemetry:read
Wireless Controller Devices Interfaces Usage History by Interval Return usage history for wireless controller devices' interfaces in the organization meraki:wirelesscontrollerdevicesinterfacesusagehistorybyinterval daily Wireless Controller getOrganizationWirelessControllerDevicesInterfacesUsageHistoryByInterval 3.2 wireless:telemetry:read
Wireless Devices Wireless Controllers by Device Return the wireless controllers associated with wireless devices in the organization meraki:wirelessdeviceswirelesscontrollersbydevice daily Wireless Controller getOrganizationWirelessDevicesWirelessControllersByDevice 3.2 wireless:config:read
Devices Availabilities Return the availability information for devices in an organization meraki:devicesavailabilities daily Platform / Devices getOrganizationDevicesAvailabilities 3.3 dashboard:general:telemetry:read
Devices Uplinks Loss and Latency Return the uplink loss and latency for every MX and MG in the organization meraki:devicesuplinkslossandlatency daily Platform / Devices getOrganizationDevicesUplinksLossAndLatency 3.3 dashboard:general:telemetry:read

 

Troubleshooting

Quick Checks

API Connectivity

Test API key or OAuth access:

curl -L -X GET \
  'https://api.meraki.com/api/v1/organizations' \
  -H 'Authorization: Bearer <API_KEY_OR_TOKEN>'

You should receive a list of organizations. If you see 403 or 404, verify API access, credentials, and scopes.

Check add-on logs

index="_internal" source="*splunk_ta_cisco_meraki*.log*"

Filter for ERROR to identify configuration or connectivity problems.

Common Issues and Fixes

Authentication Issues

  • 401 Unauthorized:
    • API Key: Verify the API key is correct and has not been revoked in the Meraki Dashboard
    • OAuth: Access token may be expired. Check if automatic token refresh is working by reviewing logs for "Token refresh" messages
    • New API key/org: If the key or organization was just created, wait 1-2 minutes for API propagation
  • 403 Forbidden:
    • Insufficient permissions: API key must have organization-level read access
    • OAuth scopes missing: If using OAuth, verify the Web App has been granted the required scopes (not just offline_access). Check logs for "No scopes are granted to the Meraki Web App"
    • IP whitelist: If the API key has IP restrictions configured in Meraki Dashboard, ensure the Splunk server IP is whitelisted
  • OAuth token refresh failures:
    • Verify client_id and client_secret match the Meraki Web App configuration
    • Check if the refresh token has been revoked in the Meraki Dashboard
    • Confirm the authorization endpoint is correct (default: as.meraki.com)
    • Review splunk_ta_cisco_meraki_rh_oauth2_token logs for token fetch errors

Rate Limiting (429 Too Many Requests)

  • Reduce API call rate: Lower the Max API calls per second setting in the organization configuration (default: 5 calls/sec)
  • Stagger inputs: If multiple inputs are configured for the same organization, adjust their schedules to avoid simultaneous execution
  • Monitor rate limiter: Check logs for "Rate limit exceeded" warnings. The add-on automatically waits 30 seconds before retrying
  • Review concurrent inputs: Multiple Splunk instances collecting from the same org can exceed combined rate limits

Data Collection Issues

  • No data ingested:
    • Verify credentials are valid using the API connectivity test above
    • Confirm the organization ID is correct and accessible
    • Verify the correct Service Region is selected and Base URL matches your Meraki region
    • Ensure inputs are enabled in the inputs configuration
    • Check the target index exists and is searchable
    • Review input logs for errors: index="_internal" source="*[input_name]*"
  • Missing historical data:
    • Check the Start from days ago parameter for time-series inputs
    • Verify the requested time range is within Meraki's data retention limits (varies by data type, typically 30-90 days)
    • Review checkpoint data to see when the last successful collection occurred
  • Data collection stopped:
    • Check for checkpoint retrieval failures in logs: "Could not retrieve checkpoint"
    • Verify KVStore is accessible and healthy
    • Confirm the input schedule hasn't been disabled

Webhook Issues

  • Webhook validation fails:
    • HTTPS required: HEC webhook URL must use HTTPS (not HTTP)
    • Valid SSL certificate: The Splunk server must have a verified SSL certificate. Self-signed certificates may cause validation failures
    • Error message: "The URL should be using https and have verified SSL certificate"
  • Webhook not receiving events:
    • Confirm HEC is enabled in Splunk: Settings > Data inputs > HTTP Event Collector
    • Verify the HEC token is valid and not disabled
    • Check webhook logs via the meraki:webhooklogs:api input to see delivery status and response codes
    • Test webhook connectivity from Meraki Dashboard
  • Webhook setup hangs:
    • If webhook test status remains "enqueued", check network connectivity between Meraki and Splunk
    • Review firewall rules to ensure Meraki can reach the Splunk HEC endpoint
    • Verify HEC port (default: 8088) is open and accessible

Regional Connectivity Issues

  • 404 Not Found on all API calls:
    • For China deployments, ensure China region is selected (uses api.meraki.cn)
    • For FedRAMP/US Government, ensure FedRAMP region is selected (uses api.gov-meraki.com)
    • For India deployments, ensure India region is selected (uses api.meraki.in)
    • For Canada deployments, ensure Canada region is selected (uses api.meraki.ca)
    • For proxy deployments, use Other region and enter your custom proxy URL in the Base URL field
  • Network timeouts:
    • Check if a proxy is required for external API access
    • Verify DNS resolution for the Meraki API endpoint
    • Test connectivity using curl from the Splunk server

Proxy Configuration Issues

  • Proxy validation errors:
    • If proxy is enabled, both Proxy URL and Proxy Port are required
    • Proxy port must be between 1-65535
    • If proxy requires authentication, both username and password must be provided (not just one)
  • Connection failures through proxy:
    • Verify proxy credentials are correct
    • Test proxy connectivity manually using curl with proxy settings
    • Check if the proxy requires special SSL/TLS handling
    • Review proxy logs for blocked or failed requests

Checkpoint/State Management Issues

  • Checkpoint retrieval failures:
    • Error: "Could not retrieve checkpoint. Not collecting events."
    • Verify KVStore is running and accessible: $SPLUNK_HOME/bin/splunk show kvstore-status
    • Check session key validity in logs
    • Review splunk_ta_cisco_meraki logs for "Error in Checkpoint handling"
  • Duplicate data collection:
    • May occur if checkpoint is not being saved properly
    • Check KVStore write permissions for the add-on
    • Verify sufficient disk space for KVStore data
  • Data gaps after restart:
    • Checkpoint may not have been saved before restart
    • Use Start from days ago parameter to backfill missed data

Input Configuration Issues

  • Input won't start:
    • Invalid interval: Must be an integer within the allowed range for that input type
    • Invalid start_from_days_ago: Must be an integer if specified, within historical data retention limits
    • Invalid top_count: For "top N" inputs, must be an integer within valid range
    • Review splunk_ta_cisco_meraki_*_validation logs for validation errors
  • KeyError in logs:
    • Missing required configuration parameter
    • Organization name not found in configuration
    • Verify organization is configured and saved before creating inputs

Uninstall

Standalone Environment

  1. Remove the app directory:
rm -rf $SPLUNK_HOME/etc/apps/Splunk_TA_cisco_meraki
  1. Remove add-on logs:
rm $SPLUNK_HOME/var/log/Splunk/splunk_ta_cisco_meraki*.log*
  1. Restart Splunk to complete cleanup

Getting Help

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. Splunk