This article will provide step by step instructions for configuring Splunk to collect data from a Meraki network using the Scanning API to collect location data for Wi-Fi and bluetooth devices and using Syslog to collect syslog events for the MX security appliance.

About Splunk

Splunk has closely aligned with Cisco Meraki to help organizations gain insights leveraging the vast amounts of data generated by Meraki products. Meraki customers use Splunk’s software and cloud services to monitor service levels, reduce operational costs, mitigate security risks, meet compliance requirements for logging, and even create new product and service offerings.

The Splunk platform enables IT to:

  1. Collect data from anywhere.
  2. Search and analyze across all your data – This means you don’t have to deploy a database.
  3. Display real-time insights from machine data through dashboards.

Location Analytics Integration

The Scanning API allows the network to be used as a data collection and marketing database full of valuable location data of nearby devices and users. Splunk has many handy tools and algorithms that allow the data to be manipulated and presented in different ways. Users can generate dashboards to track the number of visitors  per day, the visit duration, the number of return visits, and the peak hours of foot traffic, based on WiFi and Bluetooth capabilities built into Meraki products.

Before you’re able to collect your location data into Splunk, you need to enable the Meraki Location Analytics and Scanning API on the Meraki Dashboard. Once this is completed, you will need to install the Cisco Meraki Presence Modular Input in Splunk, and exchange the shared secret between the two interfaces. This Splunk add-on for Cisco Meraki allows you to receive a data stream from the Meraki Scanning API. This will capture JSON probe data that is sent from Cisco Meraki via HTTP POST requests. The Scanning API version 1.0 and version 2.0 are both supported.

Once you complete this guide, your server will start capturing WiFi enabled endpoints as they pass by your device. When the endpoint is not connected to the AP, you will capture the AP reporting the device, the latitude and longitude, the client’s MAC address, and the signal strength. When the endpoint connects to the WiFi network you will also capture the Manufacturer, OS, IP address, and SSID.

To see the end result of this integration guide, you can see a live demo of Splunk integrated with Meraki for Location analytics.

Splunk Location Analytics Demo

Meraki Configuration

This section describes how to configure the Meraki Dashboard to send location data to the Splunk server using the Scanning API.

  1. Login to
  2. Go to Network-wide -> General.
  3. Scroll down to the Location and scanning section.
  4. Enable Analytics
  5. Enable Scanning API
  6. Add a POST URL to the server you will be sending the data to.
    1. Typically this will be an HTTP or HTTPS URL, the port number, and ‘/events’
    2. Ensure that your post URL ends with the suffix ‘/events’.
    3. For example, your URL should look like: http://{serverhostname}:{port number}/events
    4. IP addresses and hostnames are both acceptable formats.
    5. Up to 4 servers can be configured to receive data from the same network.
  7. Enter a shared secret that you will share between the Meraki and Splunk server.
  8. Copy and paste the Validator and save this for the Splunk configuration
  9. Make sure that your Splunk server is reachable over the specified POST URL.
    1. The Meraki Cloud will make a GET request to the server when you click “Validate”. If you can successfully reach the URL in your web browser, the server is working.
    2. The Splunk server needs to be internet reachable with a public IP, and firewall rules should allow traffic from the range of Meraki servers to the Splunk server. For the list of Meraki IP’s please visit the Firewall rules page under the Help menu on the dashboard.
  10. After the Splunk server is configured, come back to this page to click “Validate” and the Meraki Cloud will begin sending data.

Screen Shot 2018 05 18 at 1.15.15 PM 1024x286 1

AWS Console Configuration

This section will walk through how to setup Splunk on Amazon Web Services. If you’ve already got your Splunk server configured and firewall settings enabled to allow communication, you can skip this section and jump to the Firewall Configuration or Modular Input Configuration. Also please note that this guide is step-by-step and you may be able to setup much faster by using the Splunk Enterprise Quick Start for AWS.

  1. Log into your AWS console
  2. Navigate to the EC2 instances page
  3. Launch an Instance a new EC2 server
  4. To use the Quick Start method, Select AWS Marketplace on the left, search for Splunk, and select Splunk Enterprise
  5. To use the non-quick start method, select Linux from the top of the page and we will install Splunk following this guide.
  6. Continue and select the server size you would like to use. For example, instance type t2.medium is used for the Meraki demo with a small number of access points.
  7. Launch the instance.
  8. Navigate to the Security Groups
  9. Highlight the security group
  10. Navigate to the Inbound Tab
    1. Click Edit
    2. Click Add Rule
    3. Select Custom TCP Rule
    4. For Port put 8000 (This will be the port used to access your Splunk dashboard)
    5. For the Source put ANY if you want to allow access from anywhere or put My IP or Custom IP if you want to limit access
    6. Now click Save

pasted image 0 15 1

Connect to AWS via SSH:

  1. Open an SSH client. (find out how to connect using PuTTY)
  2. Locate your private key file (merakisplunk.pem). The wizard automatically detects the key you used to launch the instance. On your Terminal, browse to the directory
    • $ cd Desktop
  3. Your key must not be publicly viewable for SSH to work. Use this command if needed:
    • $ chmod 400 merakisplunk.pem
  4. Connect to your instance using its Public DNS:
  5. If you see a warning such as The authenticity of host ‘ (’ can’t be established. Are you sure you want to continue connecting (yes/no)? YES
  6. If you need any assistance connecting to your instance, please refer to AWS’s connection documentation.

Install Splunk manually

If you are not using the Quick Start on AWS Marketplace, you will need to install Splunk on your AWS server. To do this first you will need to login to your AWS server. Click Connect on your AWS Console and you should see the instructions below.

  1. AWS comes with a few tools to download the Splunk installer, but the simplest tool is WGET. You can Install wget – a downloader using the commandline tool yum. Run this command to install wget:
    • $ sudo yum install wget
  2. Now you can use WGET to download Splunk’s install file. You can find a list of splunk install files on Splunk’s website. The example below will install version 7.0.3
    • $ wget -O splunk-7.0.3-fa31da744b51-linux-2.6-x86_64.rpm ‘’
  3. Once you have successfully downloaded the Splunk indexer RPM installation package, enter the following command (Where the .rpm is the name of the file you just downloaded.):
    • $ cd ~
    • $ sudo rpm –ivh splunk-7.0.3-fa31da744b51-linux-2.6-x86_64.rpm
  4. This will initiate the installation process. Once the process is complete, you will need tostart Splunk for the first time. To do so, enter the following commands:
    • $ cd /opt/splunk/bin/
    • $ sudo ./splunk start
  5. Please read and accept the license agreement, and wait for the Splunk initialization to complete. Once the installation and initialization process is complete, Splunk should be successfully running on your system.
  6. It is recommended you create an init script so that Splunk can then be controlled with the service command. To do so, enter the following command:
    • sudo /opt/splunk/bin/splunk enable boot-start
  7. The previous command will create an init script in /etc/init.d, and will allow you to control the Splunk daemon using as follows:
    • service splunk stop Stop collecting data and safely stop the Splunk daemon
    • service splunk start Start the Splunk daemon
    • service splunk restart Stop and start the Splunk daemon
  8. This is commonly used to enable certain configuration changes to take effect. You may also disable or enable the Splunk daemon from starting on boot using the chkconfig command:
    • sudo chkconfig splunk on Enable the Splunk daemon to start on boot.
    • chkconfig splunk off Disable the Splunk daemon from starting on boot.
    • Note: the Splunk boot-start command mentioned above not only creates the init.d service script, it also tells the daemon to start on boot (as in chkconfig splunk on).
  9. Save the URL after Splunk starts.
    • The Splunk web interface is at

Linux Firewall Configuration

Next, we need to configure the Linux firewall, iptables by default on RHEL and CentOS,to allow inbound access for ports required by Splunk. You should also select port to open a for the Scanning API data. The port is usually the same as you configured on the Meraki dashboard. Enter the following commands:

  1. Allow Scanning API POSTs on a port of your choice. This is important that it matches the configuration on your Meraki dashboard.
    • sudo iptables -A INPUT -p tcp -m tcp —dport {your port} -j ACCEPT
  2. Allow UDP connections on port 514 from any source. This is important if you intend to use Splunk to collect Syslog data.
    • sudo iptables -A INPUT -p udp -m udp –dport 514 -j ACCEPT
  3. Allow TCP connections on port 8000 from any source. By default, Splunk runs on TCP/8000, and in order to access the Splunk GUI we will need to allow this port.
    • sudo iptables -A INPUT -p tcp -m tcp –dport 8000 -j ACCEPT
  4. Allow TCP connections on port 9997 from any source. This port is commonly used by Universal Forwarders to send data to the Splunk indexer (the machine we are currently configuring).
    • sudo iptables -A INPUT -p tcp -m tcp –dport 9997 -j ACCEPT
  5. After you have entered the iptables rules, we will save the configuration and restart the iptables daemon. To do so, enter the following commands:
    • service iptables save
    • service iptables restart

If you are using SuSE linux instead of RedHat or CentOS, you can use YaST to open up the port:

  1. Start YaST with the command $ yast
  2. Select Security and Users
  3. Select Firewall
  4. Select Allowed Services
  5. Select Advanced
  6. Here you type in 8000 under TCP Ports
  7. Close the advanced configuration by selecting OK.
  8. Click Next and then Finish.
  9. The software firewall will now allow TCP access on port 8000

Setup Cloudflare

CloudFlare is commonly used to protect servers on the internet from attacks. If you have CloudFlare in front of your Splunk server, please remember to setup the domain’s DNS record.

  1. Log into your CloudFlare Panel here
  2. Click on the domain that you have Splunk hosted on
  3. Navigate to the DNS tab
  4. Enter the information like shown below using the IP address of your server
  5. Click Add RecordScreen Shot 2015 06 19 at 4.31.28 PM 1
  6. You can now visit and log into Splunk’s admin panel.

Setup Splunk Web

For first time Splunk users this section walks through the setup of the Splunk Enterprise Web interface and general settings. Skip ahead if you already have Splunk running and already setup with HTTPS.

  1. Using your favorite browser, please navigate to the IP address or DNS name of the server on which we have been configuring Splunk, specifying http using port 8000.
  2. At the Splunk login screen, enter the default credentials as shown in the screenshot below and click Sign In. You will be prompted to change the password during this initial login.
  3. Screen Shot 2018 03 30 at 2.22.53 PM 1

  4. The first thing we will want to do is change the Splunk indexer to use HTTPS. To do so, click the Settings menu in the upper right-hand corner, and then choose System Settings under the System section. Then, choose General Settings from the next page.pasted image 0 18 1
  5. Change your Splunk server name. By default, this will be the local hostname of the Linux server on which the indexer has been installed. You may change the name here.
  6. Splunk Web > Enable SSL (HTTPS) in Splunk Web?:
    1. By default, this option will be set to No. Change the radio button to Yes.
  7. Web port: The default web port is 8000, and can be changed here as well. Keep in mind that should you change the default port, you will need to modify the iptables firewall entry we created earlier to allow inbound connections for that port.
  8. Session timeout: By default, inactive sessions will timeout in 1 hour. pasted image 0 13 1
  9. Once you have made your changes, click the Save button at the bottom of the page.

Licensing Splunk

This section covers how to license Splunk. If you are already licensed, skip to the next section.

  1. If you do not have a license, Splunk offers a free 500MB per day license that can be great for home use or testing, but you will want to purchase an enterprise license from Splunk to use the product in an enterprise environment. Splunk also offers a Developer Trial License for 10 GB per day for 6 months that you can request on Splunk’s website.
  2. Once you have a license, browse to Settings > Licensing and upload the license file to your server.pasted image 0 14 1

App Configuration

Once your Splunk server is set up and the Meraki configuration is completed, you will want to install the Cisco Meraki Presence Modular Input in Splunk, and exchange the shared secret between the two interfaces. The Cisco Meraki Presence Modular Input was created by Damien Dalmore from Baboon Bones. This Splunk add-on for Cisco Meraki allows you to receive a data stream from the Meraki Scanning API. This will capture JSON probe data that is sent from Cisco Meraki via HTTP POST requests. The Scanning API version 1.0 and version 2.0 are both supported.

When the endpoint is not connected to the AP, you will capture the AP reporting the device, the latitude and longitude, the client’s MAC address, and the signal strength. When the endpoint connects to the WiFi network you will also capture the Manufacturer and OS of the device.

You can watch this video and follow the step-by-step instructions below.

Install the App

Follow these steps to install and setup the Presence Modular Input App:

  1. Download the app from Splunkbase here:
  2. On your Splunk Web interface, browse to Apps > Manage Apps
  3. Select “Install app from file
  4. Click Choose File and select meraki-ta-0.7.spl then click Uploadpasted image 0 25 1
  5. Click Set up now. pasted image 0 27 1
  6. If you choose Setup up later, you can browse to the Meraki App and enter the Meraki Secret and Validator in the setup screen.
  7. Copy and paste the Meraki Validator. This must match the settings on the Meraki Dashboard configuration.
  8. Enter the Meraki Secret you chose. This must match the settings on the Meraki Dashboard configuration.pasted image 0 26 1

Create an Index

To help distinguish your Meraki Syslog data later, you can set up a separate index for it under Settings->Indexes. This is highly recommended, especially when pulling in data from multiple sources. For example, using the ‘meraki’ index, we want to see all real-time analytics as they are coming in: index=meraki

  1. Navigate to Settings > Indexes
  2. Click New Index
  3. Name the index anything such as ‘meraki-scanning’
  4. Set a limit on the index to prevent it from filling your hard disk space.
  5. Click Save

Screen Shot 2018 05 18 at 3.11.37 PM 1

Create a Data Input

Splunk usesData Inputs to listen for data, and the Modular Input App uses an HTTP server called a to listen for event data from Meraki on a specific port and pipe the data into the app.

  1. Navigate to Settings > Data inputs pasted image 0 8 1
  2. Select Cisco Meraki and click New
  3. Enter the HTTP Web Server Port port to listen on. This can be anything you choose but it must match the settings on the Meraki dashboard configuration and the firewall settings must allow this port.
  4. Set the CMX API Version to match the version configured on the Meraki Scanning API configuration.
    1. Note that typically version 2.0 is used. Version 1.0 will provide only MAC address and RSSI information. Version 2.0 includes location coordinates, manufacturer, OS, SSID, and AP Tags.
  5. Set the sourcetype to Manual and give it any name.
  6. Enable More Settings and configure the Index to match the new index you createdScreen Shot 2018 05 18 at 3.17.50 PM 1
  7. On the Meraki dashboard, you should configure that the configuration will  send events to the HTTP POST URL and the port specified in Splunk. For example: http://yoursplunkhost:yourport/events
  8. Click Next and the Modular input should be created.
  9. Restart Splunk by navigating to Settings > Server controls > Restart Splunk
  10. Once Splunk has restarted, confirm the data is able to flow from Meraki by clicking “Validate” on the Meraki dashboard. pasted image 0 21 1
  11. If you see “Validated…” everything appears to be working and the HTTP Posts will begin sending from Meraki about every minute for every access point in the network.

Using Splunk Search

Splunk uses it’s own language to write search strings, but these strings are simple to learn. The first search you should try is the simplest, all data being sent by Meraki and received by Splunk. Try these steps to do a search without any search strings.

  1. Click Splunk in the top left corner.
  2. Click Search & Reporting under Apps
  3. Click Data Summary
  4. Click the Sourcetype tab and select your Meraki source. Screen Shot 2018 05 18 at 3.32.45 PM 1 1
  5. Review the data and the attributes in the data that is brought into Splunk. You should see the apMac, clientMac, manufacturer, rssi, and more data in the search results.

pasted image 0 34


Any log entries/errors will get written to a log file and indexed making them searchable. The log file is stored at $SPLUNK_HOME/var/log/splunk/splunkd.log. To search for errors, you can use this search string:

  • index=_internal error ExecProcessor

Screen Shot 2018 05 18 at 3.28.27 PM 1024x401 1

Creating Searches with Meraki Data

Before you can create dashboards, you first need to create a search with the data results you want, then select a visualization, and then save the visualization. Let’s walk through a simple example and then improve it until the results are exactly what we need to count the number of visitors and the types of operating systems they are using:

  1. Browse to Search in Splunk and enter the search string “*” in the search bar:Screen Shot 2018 05 18 at 4.07.11 PM 1
  2. You’ll notice a data is returned below. If you have other data on your splunk server it will all be included together. The asterisk is a regular expression string that tells the search to match anything and everything. If you don’t see data, go back to the troubleshooting section.
  3. Now let’s filter the data to just the data with a manufacturer in the data. Run a search for the word “manufacturer”Screen Shot 2018 05 18 at 4.10.38 PM 1
  4. You can see the different attributes that are included in the Meraki Scanning API:
Name Format Description
apMac string MAC address of the observing AP
apTags [string] JSON array of all tags applied to the AP in dashboard
apFloors [string] JSON array of all floorplan names on which this AP appears
clientMac string Device MAC
ipv4 string Client IPv4 address and hostname, in “hostname/address” format; only “/address” if no hostname, null if not available
ipv6 string Client IPv6 address and hostname, in “hostname/address” format; only “/address” if no hostname, null if not available
seenTime ISO 8601 date string Observation time in UTC; example: “1970-01-01T00:00:00Z”
seenEpoch integer Observation time in seconds since the UNIX epoch
ssid string Client SSID name; null if the device is not connected
rssi integer Device RSSI as seen by AP
manufacturer string Device manufacturer; null if manufacturer could not be determined
os string Device operating system; null if the OS could not be determined
location location Device geolocation; null if location could not be determined
lat decimal Device latitude in degrees N of the equator
lng decimal Device longitude in degrees E of the prime meridian
unc decimal Uncertainty in meters
x [decimal] JSON array of x offsets (in meters) from lower-left corner of each floorplan
y [decimal] JSON array of y offsets (in meteres) from lower-left corner of each floorplan
  1. You can create statistics for any of these attributes. Let’s generate some statistical data based on the operating system of the devices seen. Run a search for ” * | stats count by os “ and you will see the count of the number of times an operating system was seen in the data.Screen Shot 2018 05 18 at 4.14.34 PM 1
  2. Note however that there are multiple reports for each individual client device. The unique identifier for a specific client device is it’s MAC address. This is an attribute in the data labeled “clientMac”. To de-duplicate the MAC addresses, add the string “| dedup clientMac” in the middle of your search.
    • * | dedup clientMac | stats count by os
  3. This is decent data already, but we have some anomalies where the OS cannot be determined, so let’s filter that data out as it’s not very useful. Run the search for
    • os !=null | dedup clientMac | stats count by os
  4. Measuring the operating systems of nearby wireless devices is helpful, but this will include every device that comes in range for any amount of time. It’s important to limit your search to devices that have a strong signal strength by adding rssi > 15 AND” to the begining of your search string.
    • rssi > 15 AND os != null | dedup clientMac | stats count by os
  5. Further limiting your search based on the amount of time a device spent in range is a way to successfully filter out very short visits. To add a time bucket of 20 minutes and require at least 5 reports within the time window, use this search string:
    • rssi > 15 AND os != null | bucket _time span=20m | stats count by _time,clientMac,os | search count>5 | dedup clientMac | stats count by osScreen Shot 2018 05 18 at 4.34.35 PM 1
  6. Now the search is complete and the data is ready to display in some graphical way. Click Visualization and Change the type to a Pie Chart. Screen Shot 2018 05 18 at 4.35.36 PM 1
  7. You can see that the largest share of users to the location are using iOS devices.Screen Shot 2018 05 18 at 4.44.47 PM 1

Creating Dashboards

You can save the visualization created in the Search tool as a report or directly to a dashboard. In this section, we will show you how to create a dashboard.

  1. Add your visualization to a dashboard. Click “Save As” “Add to Dashboard”. Give your new dashboard a name. Set the permissions if you want this to be shared with other users or private. Screen Shot 2018 05 18 at 5.13.33 PM 1
  2. Click “Save” and “View Dashboard” and you’ll see your dashboard has a single panel.Screen Shot 2018 05 18 at 5.16.10 PM 1
  3. You can continue to add additional panels to your dashboard with more searches. You can see more examples of dashboard panels on our developer sandbox. Screen Shot 2018 05 18 at 5.18.47 PM 1
  4. You can login to our live demo of the Splunk instance using the following credentials:

Creating Reports

You can save the visualization created in the Search tool as a report or directly to a dashboard. In this section, we will walk through creating a report and scheduling it to automatically run every day.

  1. Set the time range that you want your report. For example “Year to DateScreen Shot 2018 05 18 at 4.46.58 PM 1
  2. Run your search and click “Save As” and select Report.
  3. Give your report a name and decide if you want the time range to be flexible. If you do not want a flexible time range set “Time Range Picker” to No.Screen Shot 2018 05 18 at 4.47.46 PM 1
  4. Click View and you can bookmark this report for future use.Screen Shot 2018 05 18 at 4.49.19 PM 1
  5. This report will automatically run every time this page is refreshed, and we can schedule the report to run automatically by setting a schedule for it. Click Edit > Edit Schedule
  6. Set a schedule and time range such as  ‘Run every day’ and Time Range ‘Yesterday’.Screen Shot 2018 05 18 at 4.53.22 PM 1

Splunk for Syslog

Syslog is also a great tool to troubleshoot network issues. Sometimes devices aren’t operating as expected, and if you’re using the MX’s integrated stateful firewall, syslog can identify individual traffic flows, show firewall events, and help pinpoint why devices are experiencing issues.

Splunk extracts the relevant information from your network data using Meraki’s Syslog function and enables Meraki customers to correlate this data with machine data across the infrastructure to for better operational intelligence.

You can search in Splunk and see network event information from the MX. For example, you can see URLs that have been blocked by the MX’s content filtering or traffic flows blocked by the MX’s firewall.

splunk 04 cropped 1

Meraki Configuration

  1. Go to Network-wide -> General.
  2. Under the Reporting section, click on “Add a syslog server.”
  3. Input the IPv4 address and destination port.
  4. You have the option to specify which type of syslog messages to send to the server. tumblr inline ortar94zUk1qz98bp 540 1

Splunk Configuration

  1. To help distinguish your Meraki Syslog data later, you can set up a separate index. This is highly recommended, especially when pulling in data from multiple sources.
    • Navigate to Settings->Indexes
    • Create a new index, for example named ‘meraki’ pasted image 0 7 1
  2. Using the default Search & Reporting app that comes on Splunk Enterprise, simply search for a parameter in the desired timeframe. For example, using the ‘meraki’ index, we want to see all IPv6 traffic on the network that starts with 2001:
    • index=meraki src=2001*
  3. Add a new Data Input to collect syslog data. Navigate to Settings > Data Inputs and click UDP and then New.
  4. Enter the Port number you wish to use to collect data. The default for syslog is 513.pasted image 0 17 1
  5. Due to difficulty in sometimes identifying the various services; the app developer recommends opening up a separate port on your syslog server with a filter such as:
  6. If you use a high port number remember to add an allow rule to your Linux firewall settings. For example you can use this command to add port 15146:
    • sudo iptables -A INPUT -p tcp -m tcp —dport {your port} -j ACCEPTpasted image 0 32 1
  7. Review your settings and click Submit.pasted image 0 31 1

App Configuration

The Splunk server can collect Syslog by default, however it’s recommended to use an the TA-Meraki, written by Myron Davis. This adapter handles majority of all logs extracted into a CIM compliant format deposited into the Splunk Common Information Model.

This TA-app assumes that the Cisco Meraki logs will all have sourcetype = meraki 

The adapter will provide records following the below listed CIM models:

  • meraki-ids-alerts (ids, attack)
  • meraki-flows (network, communicate)
  • meraki-urls (web, proxy)
  • meraki-dhcp (network, session, dhcp)

tumblr inline ortaqpZvrv1qz98bp 540 1

Advanced Analytics with Splunk and Meraki

Cisco worked together with Splunk and the Mexican Secretariat of Communications and Transportation to develop a Splunk dashboard to get analytics about the usage of the initiative, and not only raw information regarding the usage of the network known as Mexico Conectado.

The main objective of the Mexico Conectado program is to bring broadband Internet, free of charge, to Mexican Citizens through the deployment of more than 100,000 sites and public spaces powered by Cisco Meraki technology. It is distributed nationwide, primarily in schools, health centers, libraries, community centers, public parks, and government buildings.

The Splunk server takes data from Mexico Conectado sites, through Meraki APIs, and converts it into relevant information that facilitates measurement of the impact on the sustainability, social impact, influence, and future fine-tuning of the federal initiative.

For a deep dive on how this solution works, please watch this video from a presentation at the Cisco Live DevNet Zone.