I’ve spent a lot of my time lately with wireless location analytics for different purposes. Initially it was triggered through a customer request and now it’s more or less my current main topic at work.

In order to get started within the Cisco ecosystem a CMX or at least MSE is required and of course a Splunk instance. Cisco also provides a Splunk Add-On and a Splunk App for CMX. Documentation on these things is not really good so I will cover bits and peaces where I stumbled.

The Add-on

This is the essential part as the add-on is taking care of the data on-bording in Splunk. It will start a socket listening for the CMX Notifications and engage the HTTP Event Collector (HEC). These scripts are also querying the CMX API like for active clients. After successful installation you should see the following sourcetypes: cmxhttp (CMX Notifications), cmxanalytics (CMX stats), cmxactive (REST API), cmxmap (REST API) in your Splunk index.

All of these things will be shown in Splunk as a „Data Inputs“ and the scripts

The App

The app is not a requirement if you want to work with the CMX data within Splunk. However it has some neat dashboards and reports which might inspire you or is helpful at the beginning. Especially for Splunk beginners like myself it’s really helpful to get an overview of the amount of indexed data which comes from the CMX.


  • In the CMX Add-on there is a script which is opening the socket for receiving the CMX notifications. For secure connections it’s working with certificates which are hardcoded in the sourcecode of Server.py. This leads by default to errors with the python ssl hence the socket will not open.

In order to get this working you need to create your own cert where the key is in ca.pem and the cert is in cacert.pem. Either you do it with symlinks or you do it in the sourcecode. and links to the following files. Here you can find further reading

  • There is a „new“ password validation in the scripts of CMX App but it’s only expecting passwords in lower case. So in the web GUI setup it’s always complaining about an invalid password without ever trying to reach the CMX instance.

  • For cmxactive sourcetypes the data is collected via REST calls to the CMX API. These requests need the search capability on the Splunk instance where the CMX stuff is installed to get the floor IDs. During a project we were working with Splunk Cloud and therefore the Heavy Forwarder (HF) had no right to search the data, which lead to issues. The creator of the sourcecode had the intention to work with such limitations but the code is not working this way.

  • I’ve had some issues with the numbers of the cmxactive data, for some reason it was only a part of the clients received by cmxhttp. Unfortunately not all the necessary information is present in the cmxhttp notifications. Some things like the tags are missing from the data but this is very helpful when you want to do further stats on them. If somebody knows why, please enlighten me!


As a Splunk newbie I was really amazed of the new power which it introduces to the CMX data with almost no effort at all and a lot of the tools are already coming with Splunk. The CMX Add-on and App seem not really widely deployed in the field and this is a pity.

Go top