Skip to main content

 

Cisco Meraki Documentation

Cisco Meraki Add-on for Splunk

  1. Last updated
  2. Save as PDF
Component Details
Version 3.0.0
Vendor Products Cisco Meraki API v1.38.0
Visible in Splunk Web Yes. This add-on contains views for configuration.

 

Download the Cisco Meraki Add-on for Splunk from Splunkbase.

Overview

The Cisco Meraki Add-on for Splunk lets you monitor networks and device across one or multiple organizations.

The add-on collects data via the Cisco Meraki REST APIs and network alerts via webhooks.

With this add-on you can:

  • Gather multi-organization analytics
  • Extend historical analysis
  • Integrate across platforms products and vendors
  • Customize analytics and reporting
  • Automate workflows

The add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

 

 

Splunk example dashboard of Meraki API metrics

Example dashboard created with the Cisco Meraki add-on used to analyze API usage across multiple organizations

 

Multi-Organization Intelligence

Cross-Organization Visibility
  • Unified view across multiple Meraki organizations
  • Comparative analytics across different networks
  • Standardized monitoring for diverse deployments
  • Perfect for:
    • Service providers supporting multiple customer organizations
    • Enterprises with multiple organizational divisions
    • Global companies with regional organizations
Enhanced Historical Analysis
  • Extended historical data retention and analytics
  • Long-term trend analysis across organizations
  • Advanced capacity planning capabilities
  • Flexible data retention options

Enhanced Security & Compliance

Unified Security Monitoring
  • Centralized security event management
  • Cross-organization threat correlation
  • Comprehensive configuration tracking
  • Streamlined compliance monitoring
Cross-Platform Integration
  • Seamless integration with other Cisco security products
  • Native Splunk Enterprise Security compatibility
  • Unified network and security event correlation
  • Customizable security dashboards

Installation

Quick Start

  1. Login and download the Cisco Meraki add-on for Splunk on Splunkbase
  2. Click "Install" to add the Cisco Meraki Add-on to your Splunk Cloud instance
  3. Configure your Meraki organization credentials in the add-on

That's it! You're ready to start monitoring your Meraki infrastructure.

For additional details and other deployment scenarios (on-premises, distributed, etc.), please refer to the sections below:

Splunk Platform Requirements

  • Standard Splunk deployment requirements apply (Reference)
  • KV store must be enabled (especially important for Heavy Forwarders)
  • For Splunk Cloud deployments, no additional requirements needed
  • For on-premises forwarders to Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual

Compatibility Matrix

Component Requirement
Splunk Enterprise Version 9.4.x, 9.3.x, 9.2.x, and 9.1.x
Supported OS Version Independent
Browser Independent
Python Version Python3
Cisco Meraki API v1.38.0

Deployment Options

Distributed Installation Requirements

Splunk instance type Supported Required Comments
Search Heads Yes Yes Install for knowledge management
Indexers Yes No Optional (parsing on heavy forwarders)
Heavy Forwarders Yes Yes Required for data collection
Universal Forwarders No No Not supported
Inputs Data Manager (IDM) Yes No Supported
Self Service App Install (SSAI) Conditional No Not supported with IDM

Distributed Features Support

  • Search Head Clusters: Supported
  • Indexer Clusters: Supported
  • Deployment Server: Limited support (unconfigured add-on only)

Configure

Meraki Credentials

The Cisco Meraki dashboard uses API keys to authenticate API calls to gather information for the organization. Follow these steps to set up access.

API Key

Generate your API key in the Meraki Dashboard

  • Navigate to Organization > API & Webhooks
  • Generate a new API key
  • Save the API key securely - it will only be shown once

Organization ID

Obtain your organization ID using one of these methods:

Using the Dashboard
  • Navigate to the Meraki Dashboard Organization.
  • Find your organization ID in the footer of the page.
Using the Browser

If you are already logged into the Meraki Dashboard with the same admin of the API key, then:

 [
     {
         "id": "876128346",
         "name": "My Meraki Org",
         ...
Using cURL
curl -L --request GET \
--url https://api.meraki.com/api/v1/organizations \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer [API Key]'

Note: Refer to the Meraki API documentation for additional endpoint information.

For China Service, use meraki.cn instead of meraki.com 

Device Configuration

For optimal data collection and analysis:

  • Name all devices (access points, cameras, security appliances, switches) in the Meraki Dashboard
  • Device names can be set in each device's overview page in the Meraki Dashboard
  • Consistent naming conventions improve searchability and reporting

Setup the Add-on

  1. On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Cisco Meraki.
  2. Click the Configuration tab.
  3. Click the Organization tab.

  4. In the Add Organization dialogue box, fill in the required fields:

    Field Description
    Organization Name The name of your Cisco Meraki organization.
    Service Region Select Global (that is the default) or China if China Service is used.
    Organization ID The organization ID that you obtained from Cisco Meraki.
    Organization API Key The organization API key that you obtained from Cisco Meraki.

  5. If you are using a proxy, check Enable Proxy and fill in the required fields on the Configuration tab.

(Optional) Change logging level

  1. On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Cisco Meraki.
  2. Click the Configuration tab.
  3. Click the Logging tab.
  4. Select a new logging level from the drop-down menu.
  5. Click Save to save your configurations.

(Optional) Proxy setup

  1. On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Cisco Meraki.
  2. Click the Configuration tab.
  3. Click the Proxy tab.
  4. Check Enable and fill in the required fields.

 

Only HTTPS proxies are supported.

Configure a proxy using configuration files

You can also configure your proxy using the configuration files. This gives you access to a few advanced options.

  1. Create or edit $SPLUNK_HOME/etc/apps/Splunk_TA_cisco_meraki/local/splunk_ta_cisco_meraki_settings.conf.

  2. Fill in values for your proxy using the following structure:

     

    [proxy]
proxy_enabled = 0
proxy_url =
proxy_port =
proxy_username =
proxy_password =

     

    3. Enable the proxy by setting proxy_enabled to 1.

Configure Inputs

Users can manually create data "Inputs" by following the steps below.
Note: This is not required if you chose to have the inputs automatically created when adding the Meraki organization.

  1. Login to Splunk and select Cisco Meraki Add-on for Splunk > Inputs from the top left menu.
  2. Click on Create New input
  3. Fill in all required parameters
  4. Click on the save button

Manage Inputs

To Disable an Input

  1. Go to Cisco Meraki Add-on for Splunk > Inputs
  2. Find the input you want to Disable from the list of inputs
  3. Click on Status > Enabled

To Enable an Input

  1. Go to Cisco Meraki Add-on for Splunk > Inputs
  2. Find the input you want to Enable from the list of inputs
  3. Click on Status > Disabled

To Edit an Input

  1. Go to Cisco Meraki Add-on for Splunk > Inputs
  2. Find the Input you want to edit from the list of configured inputs
  3. Click on Action > Edit
  4. Update the required parameters in the dialogue box
  5. Click on Update

To Clone or Delete an Input

  1. Go to Cisco Meraki Add-on for Splunk > Inputs
  2. Click Action > Clone/Delete

 

Migrating from Version 2.x

When upgrading from version 2.2.1 to version 3.0.0, additional configuration steps are required due to new parameters introduced in the Configuration page.

Pre-upgrade Steps

  1. Document your existing configuration
  2. Disable all inputs linked to your configured accounts
  3. Back up any custom dashboards or saved searches

Post-upgrade Configuration

After upgrading to version 3.0.0, follow these steps for each existing account:

  1. Navigate to the Configuration page in the Splunk Add-on for Cisco Meraki

  2. For each existing account:

    • Click the Edit icon for the configured account
    • Re-enter the Organization API Key
    • Review and adjust the Max API Calls per Second setting if needed
    • Save the changes

  3. Re-enable your inputs after completing the account updates

Important Note: Attempting to use accounts configured in version 2.2.1 without performing these steps after upgrading to version 3.0.0 will result in errors. 

Upgrading directly to version 3.0.1 does not require any additional steps.

Verification Steps

After completing the upgrade process:

  1. Verify data collection has resumed
  2. Check for any error messages in the logs
  3. Confirm all dashboards and saved searches are functioning correctly

Webhook Alerts

Collect network alerts from Meraki by sending message with webhooks.

Splunk Configuration

Follow these steps to generate an HTTP Event Collector (HEC) token in Splunk, which will be used to authenticate the delivery.

Generate a HEC token

  1. Log in to Your Splunk Instance

  2. Navigate to Cisco Meraki Add-on for Splunk.

  3. Navigate to the HTTP Event Collector Configuration

    • In the top-right corner, go to Settings
    • Select Data Inputs > HTTP Event Collector

  4. Verify HTTP Event Collector is Enabled

    • Click on the Global Settings button in the top-right corner
    • In the Global Settings window:
      • Ensure All Tokens are set to Enabled
      • Specify the HTTP Port Number (default: 8088) or retain the existing port configuration
    • Save the changes to return to the HTTP Event Collector page

  5. Create a New HEC Token

    • Click the New Token button in the top-right corner

  6. Configure the Token

    • Selected Source:
      • Provide a descriptive name for the HEC token and click Next
    • Input Settings:
      • Set the Sourcetype to Select and select "meraki:webhook" sourcetype
      • Select an Index from the available list where the data will be ingested (Note: You can create and assign a new index if needed.)

  7. Review and Submit

    • Click the Review button to verify the token configuration details
    • If all details are correct, click Submit to create the token
    • After submission, a new page will display the Token Value

Meraki Configuration

Follow these steps to configure a webhook using a Splunk HTTP Event Collector (HEC) token within Cisco Meraki:

  1. Access Your Meraki Instance

    • Log in to your Meraki instance with your credentials
    • Navigate to the left panel, locate the Organizations tab, and proceed to Organizations > API & Webhooks

  2. Navigate to Webhooks

    • On the API & Webhooks page, select the Webhooks tab
    • The Webhooks tab provides two options: Receivers and Templates

Create a Webhook Template

Before creating a receiver, create a new Splunk template to format and send the data

  • Click on Templates
  • In the Templates tab, click the New Template button

  1. Define the Template

    • Enter a unique Name, such as "Splunk"
    • Define the Liquid Body by entering the following schema:
{
  "sourcetype": "meraki:webhook",
  "event": {
    "version": "0.1",
    "sentAt": "{{sentAt}}",
    "organizationId": "{{organizationId}}",
    "organizationName": "{{organizationName}}",
    "organizationUrl": "{{organizationUrl}}",
    "networkId": "{{networkId}}",
    "networkName": "{{networkName}}",
    "networkUrl": "{{networkUrl}}",
    "networkTags": {{ networkTags | jsonify }},
    "deviceSerial": "{{deviceSerial}}",
    "deviceMac": "{{deviceMac}}",
    "deviceName": "{{deviceName}}",
    "deviceUrl": "{{deviceUrl}}",
    "deviceTags": {{ deviceTags | jsonify }},
    "deviceModel": "{{deviceModel}}",
    "alertId": "{{alertId}}",
    "alertType": "{{alertType}}",
    "alertTypeId": "{{alertTypeId}}",
    "alertLevel": "{{alertLevel}}",
    "occurredAt": "{{occurredAt}}",
    "alertData": {{ alertData | jsonify }}
  }
}
  1. Define the Liquid Header
    • Navigate to the Liquid Header section
    • Click on Add and provide:
      • Key: Authorization
      • Value: Splunk {{sharedSecret}}

Create a Webhook Receiver

The URL must use HTTPS and have a verified SSL certificate

  • Open the Receivers tab
  • Enter the following details:
    • Name: Enter name for the webhook receiver
    • URL: Enter the Splunk receiver URL
      • Format: https://{{ip/instance name}}:{{HEC Port}}/services/collector/event
      • Example: https://abcanc.io:1234/services/collector/event
    • Shared Secret: Use the Splunk HEC token
    • Payload Template: Use the Splunk template created above

Test Webhook

On Meraki Platform

  1. Navigate to Network-Wide > Alerts
  2. Scroll to the webhooks section
  3. Find your webhook and click Test webhook
  4. A green "Delivered" message indicates success

On Splunk Platform

  1. Navigate to Cisco Meraki Add-on for Splunk > Search
  2. Enter the search query: 
    index=<WEBHOOK_INDEX> sourcetype="meraki:webhook"
    Replace WEBHOOK_INDEX with your configured index name
  3. View the collected data in the search results

Assigning Alerts

  1. Navigate to Network-Wide > Alerts
  2. In the Default recipients field, add your webhook name
  3. Enable any alerts of interest on the page or throughout the dashboard to begin receiving webhooks as they are triggered.

Reference 

Macros

Macros are reusable expressions that simplify and streamline searches by encapsulating common logic or calculations. They help reduce repetition, enhance maintainability, and improve readability in SPL queries.

Configuring Macros

You can modify macros in Splunk by following these steps:

  1. Navigate to Settings > Advanced Search > Search macros

    clipboard_e85c7f5c9bd2ccad95244a6c4c48e5aa4.png
    clipboard_e83e45f49cc4e0691170fdd5defa243b6.png

  2. Once the macros page opens:

    • Go to the apps dropdown
    • Select "Cisco Meraki Add-on for Splunk"
    • This shows the list of macros created for Cisco Meraki
    clipboard_e9e89d1823375c508ffbc86b3a2df88c1.png

  3. To edit a macro:

    • Click on the name of the macro to open the editing window
    • If you have a separate index for your data collection, you can update the macro definition to add support for that index
    • By default the supported index is main
    • To add more indexes, add a comma(,) and the index name you want to add

Example:

index IN( main , test_index )

clipboard_e3b0a004a612b65d581c0266eec89b9dc.png

Sourcetypes

The Cisco Meraki Add-on for Splunk provides search-time knowledge for Meraki data in the following formats:

Sourcetype API Endpoint
meraki:devicesavailabilitieschangehistory Device Availabilities Change History
meraki:devicesuplinksaddressesbydevice Device Uplinks Addresses
meraki:wirelessdevicesethernetstatuses Wireless Devices Ethernet Statuses
meraki:wirelessdevicespacketlossbydevice Wireless Devices Packet Loss By Device
meraki:sensorreadingshistory Sensor Readings History
meraki:summarytopappliancesbyutilization Summary Top Appliances By Utilization
meraki:summarytopclientsbyusage Summary Top Clients By Usage
meraki:summarytopdevicesbyusage Summary Top Devices By Usage
meraki:summarytopswitchesbyenergyusage Summary Top Switches By Energy Usage
meraki:assurancealerts Assurance Alerts
meraki:apirequestshistory API Requests History
meraki:apirequestsresponsecodes API Requests Overview Response Codes By Interval
meraki:apirequestsoverview API Requests Overview
meraki:appliancesdwanstatistics Appliance VPN Stats
meraki:appliancesdwanstatuses Appliance VPN Statuses
meraki:licensesoverview Licenses Overview
meraki:licensescotermlicenses Licensing Coterm Licenses
meraki:licensessubscriptionentitlements Licensing Subscription Entitlements
meraki:licensessubscriptions Licensing Subscriptions
meraki:switchportsoverview Switch Ports Overview
meraki:firmwareupgrades Firmware Upgrades
meraki:audit Audit
meraki:airmarshal Air Marshal
meraki:accesspoints Access Points
meraki:cameras Cameras
meraki:securityappliances Security Appliances
meraki:switches Switches
meraki:organizationsecurity Organization Security
meraki:organizations Organizations
meraki:organizationsnetworks Organization Networks

 

Input Patterns

The inputs have common configuration patterns as described below:

Pattern 1
Parameters Type Description
Name Textbox Name of the input
Organization Dropdown Select Organization configured front the Organizations Page
Interval Textbox Time interval for input in seconds
Start From Textbox Start getting data from given past days
Index Textbox Name of index in which you want to ingest data

clipboard_e231e9784bdfc65cd5fa3c61d22f125d1.png

The following inputs follow Pattern 1:

  • API Request History
  • Request Overview
  • Request Response Code
  • Appliance VPN Stats
  • Appliance VPN Statuses
  • Assurance Alerts
  • License Coterm Licenses
  • Licenses Subscriptions
  • Audit
  • Firmware Upgrades
  • Organization Networks
  • Organizations
  • Device Availability Change History
  • Device Uplink Addresses by device
  • Sensor Reading History
  • Switch Port Overview
  • Air Marshal
  • Wireless Packet Loss By Device
Pattern 2
Parameters Type Description
Name Textbox Name of the input
Organization Dropdown Select Organization configured front the Organizations Page
Interval Textbox Time interval for input in seconds
Index Textbox Name of index in which you want to ingest data

clipboard_ecb96cd0432838edad14bc14c72182662.png

The following inputs follow Pattern 2:

  • Security Appliance
  • Camera
  • License Overview
  • Licenses Subscription Entitlements
  • Organization Security
  • Switches
  • Access Point
  • Wireless Device Ethernet Status
Pattern 3
Parameters Type Description
Name Textbox Name of the input
Organization Dropdown Select Organization configured front the Organizations Page
Interval Textbox Time interval for input in seconds
Start From Textbox Start getting data from given past days
Top Count Textbox Number of top records to retrieve
Index Textbox Name of index in which you want to ingest data

clipboard_e439c21385401104d320ea16ed9a7279d.png

The following inputs follow Pattern 3:

  • Summary Appliance Top By Utilization
  • Summary Top Client By Usage
  • Summary Top Device By Usage
  • Summary Top Switches By Energy Usage

Troubleshooting

Quick Checks

API Connectivity

  1. Verify API key access:

    curl -L -X GET \
'https://api.meraki.com/api/v1/organizations' \
-H 'Authorization: Bearer YOUR_API_KEY'
    • Should return a list of organizations
    • If 404: Check API key permissions
    • If 403: Verify API access is enabled for the organization

  2. Verify organization ID access:

    curl -L -X GET \
'https://api.meraki.com/api/v1/organizations/YOUR_ORG_ID' \
-H 'Authorization: Bearer YOUR_API_KEY'
    • Should return organization details
    • If error: Verify API key has access to the organization

App Installation

  1. Check app logs:

    • Location: $SPLUNK_HOME/var/log/Splunk/splunk_ta_cisco_meraki*.log
    • Search in Splunk: index="_internal" source=*splunk_ta_cisco_meraki*.log*
    • For errors only: index="_internal" source=*splunk_ta_cisco_meraki*.log* ERROR

  2. Verify KV Store:

    • Must be enabled, especially on Heavy Forwarders
    • Check Settings > Server Settings > KV Store

Common Issues and Fixes

No Data Coming In

  1. Check API key permissions
  2. Verify organization ID
  3. Check input status in Splunk Web
  4. Look for errors in input logs

Rate Limiting (429 Errors)

  1. Check input logs for "429" errors
  2. Reduce API calls per second in input configuration

Webhook Issues

  1. Verify HEC token is enabled
  2. Check webhook URL is accessible
  3. Confirm webhook template in Meraki Dashboard

Data Collection

  • 429 Errors: "Max API calls limit reached"

    • Wait before retrying
    • Adjust API call rate for the organization in the add-on Configuration section
    • Restart the input

  • Authentication Errors:

    • Verify API key has at least read permissions to the Meraki organization
    • Check if the organization ID is correct

Webhook Configuration

    • Verify HTTPS with TLS 1.3 or higher
    • Ensure Splunk HEC port is publicly accessible
    • Check firewall rules allow Meraki cloud servers

  2. Configuration Issues:

    • Verify HEC token is configured correctly
    • Check webhook payload template matches Splunk requirements
    • Confirm webhook receiver URL is correct

Upgrade Issues

If upgrading from version 2.x to 3.0.0:

  • Follow the upgrade guide
  • Common issues include:
    • Missing new required parameters
    • Incompatible input configurations
    • Credential migration errors

Uninstall

Standalone Environment

  1. Remove app directory: 
    rm -rf $SPLUNK_HOME/etc/apps/Splunk_TA_cisco_meraki
  2. Remove log files: 
    rm $SPLUNK_HOME/var/log/Splunk/splunk_ta_cisco_meraki*.log*
  3. Restart Splunk to complete cleanup

Getting Help

If issues persist after following this guide:

  1. Collect relevant logs
  2. Document configuration settings
  3. Contact Cisco Meraki Support with details

For additional troubleshooting resources:

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. Splunk