Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-meraki
SHA256 checksum (ta-meraki_107.tgz) 177116e0a50b01c9b8adefc592a19654e15cce6164e6c5e8cbd3ccc55b6518eb SHA256 checksum (ta-meraki_106.tgz) 33e16370a716d57925e3e272fa0b72ac05a1178961856c2e47f5239d0e5e4be4 SHA256 checksum (ta-meraki_105.tgz) 21b292f7c258c9496587f5a72be4c5dc30a4156baf0f13d56abedff15120d3ea SHA256 checksum (ta-meraki_104.tgz) 2e4a25e3f6fd092a5aaa991ef2d8ce0d859a8dac70387e8a22ccc79a9909a83d SHA256 checksum (ta-meraki_103.tgz) bdad01ced3904e387875cb742613530565782b55e4a3fd2f1a601af4ffe9b87c SHA256 checksum (ta-meraki_102.tgz) f4f27412a6465537f1119997eba3537a87696ab3b2899c01ed4d32da32866b82 SHA256 checksum (ta-meraki_101.tgz) b0136c2924d1192ae033158d14743c4a27435a8c49ec3a0661f0b31166fc4061
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Splunk Certified
This is a set of technology adapters for splunk to extract Cisco Meraki logs via syslog. Meraki sends a bunch of different log formats; some logs more complete than others. Majority of all logs extracted are CIM compliant and deposited into the Splunk Common Information Model.

Provides records following the below listed CIM models:
meraki-ids-alerts (ids,attack); meraki-flows (network,communicate), meraki-urls (web,proxy), meraki-dhcp (network,session,dhcp)

This is a technology adapter that enables front end applications to view meraki data via the common information model. If the front end is written to CIM standards your meraki data will automatically appear in that app. Examples include Splunk Enterprise Security (and likely others).

This TA-app assumes the following:
Cisco Meraki logs will all have sourcetype meraki

This app provides the following common information models:
ids = enabled
attack = enabled
network = enabled
communicate = enabled
web = enabled
proxy = enabled
network = enabled
session = enabled
dhcp = enabled

Due to difficulty in sometimes identifying the various services meraki provides; I recommend opening up a separate port on your syslog server with a filter as listed below; or adding a new UDP high address port on a heavy forwarder, or if you only had one indexer that box and then configuring that box as a syslog server with the UDP high address port chosen.


host_segment = 4

sourcetype = meraki

sourcetype = meraki

Sample config for syslog-ng

port to process meraki

source s_ext_udp_15146 {
udp(so_rcvbuf(1073741823) log_fetch_limit(10000) port(15146));
filter f_meraki { facility(local0) };
log {
destination d_meraki {
owner(root) group(adm) perm(0640) dir_perm(0751) dir_group(adm) create_dirs(yes) template("$ISODATE $HOST $MSGHDR$MSGONLY\n"));

Release Notes

Version 1.0.7
Aug. 31, 2017

Re-Released under Creative Commons Attribution-ShareAlike 3.0 Unported. (source of support changed Some cleanup. New logo.

Version 1.0.6
March 10, 2017

changed category field to a multi-field in order to pick up multiple category websites

Version 1.0.5
Jan. 31, 2017

bugfix for AP, flows were reported at the end of the log line unlike the other devices. Removed to blank space check at the end of [meraki_dest_port2]

Version 1.0.4
Jan. 27, 2017

cleanup on DHCP portion to make it easier to read
cleanup on signature_id to become more useful (applied signature_id to dhcp entries based on Microsoft DHCP error ids)
applied coalesce to a few different variables that were being reported by different regex's (signature_id,meraki_action,meraki_priority)

Version 1.0.3
Jan. 26, 2017

bugfix report of different logformat for flows on MX access point. Added new extractions for flows on AP.
bugfix regarding if you search for a signature created in the dhcp portion it was being overwritten by #FIELDALIAS-signature = category AS signature from the web portion; changed to a coalesce so now you can do a regular search on both without searching the model

Version 1.0.2
Jan. 24, 2017

bugfix: thank you jgrayccm;

Version 1.0.1
Oct. 5, 2016

added meraki_dhcp_lease_release extraction
added meraki_events_ad extraction, basic identification for Active Directory activity
added meraki_date_clipper, if added to indexer or heavy forwarder this removes unix timestamp date and saves about 19 bytes of data per log file (normal syslog timestamp still exists) (optional), if the file format changes this will have no effect


Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.