https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289869#M34550 <P>cisco:ios </P> Wed, 05 Jul 2017 17:23:07 GMT cboillot 2017-07-05T17:23:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289863#M34544 <P>The dashboard is only showing me that I have 1 unique device. Digging into it, It looks like it is seeing the syslog server as the only device. I notice that some of the fields do have a "reported_hostname" field. How do I get those entries have have this to show this as the host field?</P> Wed, 05 Jul 2017 15:24:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289863#M34544 cboillot 2017-07-05T15:24:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289864#M34545 <P>please provide more info, what kind of devices are those?<BR /> are you using any of the pre-built splunk apps?<BR /> also might be related to how you write data to syslog <BR /> hope it slightly helps</P> Wed, 05 Jul 2017 16:19:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289864#M34545 adonio 2017-07-05T16:19:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289865#M34546 <P>several different kinds. we have routers, switches, ASAs, ect.</P> <P>We are using the "Cisco Networks App for Splunk Enterprise" and the "Splunk Add-on for Cisco Networks"</P> Wed, 05 Jul 2017 16:51:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289865#M34546 cboillot 2017-07-05T16:51:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289866#M34547 <P>how do you bring the data from syslog to splunk? universal forwarder? directly over TCP / UDP?</P> Wed, 05 Jul 2017 17:07:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289866#M34547 adonio 2017-07-05T17:07:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289867#M34548 <P>universal forwarder</P> Wed, 05 Jul 2017 17:14:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289867#M34548 cboillot 2017-07-05T17:14:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289868#M34549 <P>what is the sourcetype you have under your inputs stanza?</P> Wed, 05 Jul 2017 17:16:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289868#M34549 adonio 2017-07-05T17:16:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289869#M34550 <P>cisco:ios </P> Wed, 05 Jul 2017 17:23:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289869#M34550 cboillot 2017-07-05T17:23:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289870#M34551 <P>do you have the TA installed?<BR /> <A href="https://splunkbase.splunk.com/app/1467/#/details">https://splunkbase.splunk.com/app/1467/#/details</A></P> Wed, 05 Jul 2017 17:38:27 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289870#M34551 adonio 2017-07-05T17:38:27Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289871#M34552 <P>Yes, it is showing as being installed. Version 2.3.4.</P> Wed, 05 Jul 2017 19:10:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289871#M34552 cboillot 2017-07-05T19:10:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289872#M34553 <P>can you kindly share your inputs.conf on the forwarder?</P> Thu, 06 Jul 2017 01:29:01 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289872#M34553 adonio 2017-07-06T01:29:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289873#M34554 <PRE><CODE>[default] ignoreOlderThan = 10d blacklist = \.(gz|bz2|z|zip)$ recursive = false index = main [monitor:///var/agency_logs/AgencySyslog] sourcetype=cisco:ios </CODE></PRE> Thu, 06 Jul 2017 13:29:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289873#M34554 cboillot 2017-07-06T13:29:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289874#M34555 <P>are all devices placing their data in one folder, AgencySyslog?</P> Thu, 06 Jul 2017 17:21:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289874#M34555 adonio 2017-07-06T17:21:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289875#M34556 <P>They are all placing their data into the single file AgencySyslog.</P> Thu, 06 Jul 2017 20:47:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289875#M34556 cboillot 2017-07-06T20:47:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289876#M34557 <P>i believe this link will l be helpful:<BR /> <A href="https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html">https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html</A><BR /> worthwhile to look at those as well:<BR /> <A href="http://www.georgestarcher.com/splunk-success-with-syslog/">http://www.georgestarcher.com/splunk-success-with-syslog/</A><BR /> <A href="https://www.function1.com/2012/05/syslog-collection-with-splunk">https://www.function1.com/2012/05/syslog-collection-with-splunk</A><BR /> hope it helps</P> Fri, 07 Jul 2017 01:06:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289876#M34557 adonio 2017-07-07T01:06:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289877#M34558 <P>I will pass this information along and see what happens. Thank you.</P> Mon, 10 Jul 2017 13:47:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289877#M34558 cboillot 2017-07-10T13:47:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289878#M34559 <P>so, they redid the directories and now we have this:</P> <PRE><CODE>/var/agency_logs/cisco/ios/&lt;hostname&gt;/&lt;syslogfacility-text&gt;/&lt;syslogseverity-text&gt;/&lt;year-month-day&gt;.log </CODE></PRE> <P>and I have that entered in as </P> <PRE><CODE>[monitor:///var/agency_logs/cisco/ios/*/local7/*/*.log] host_segment = 5 </CODE></PRE> <P>However, these are not being pulled in for some reason.</P> Thu, 13 Jul 2017 15:19:20 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289878#M34559 cboillot 2017-07-13T15:19:20Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289879#M34560 <P>try this:<BR /> [monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log]<BR /> host_segment = 5</P> Tue, 29 Sep 2020 14:52:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289879#M34560 adonio 2020-09-29T14:52:10Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289880#M34561 <P>Done. But it still isn't pulling the data in.</P> <P>here is my <CODE>inputs.conf</CODE> file:</P> <PRE><CODE>[default] ignoreOlderThan = 10d blacklist = \.(gz|bz2|z|zip)$ recursive = false index = main # index = enterprise_90days sourcetype = cisco:ios crcSalt = &lt;SOURCE&gt; # Windows platform specific input processor. [monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log] host_segment = 5 # [monitor:///var/agency_logs/AgencySyslogWLC] # [monitor:///var/agency_logs/AgencySyslog] </CODE></PRE> Thu, 13 Jul 2017 16:28:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289880#M34561 cboillot 2017-07-13T16:28:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289881#M34562 <P>can you double check the full path to file and compare with examples here:<BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Specifyinputpathswithwildcards">https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Specifyinputpathswithwildcards</A></P> Thu, 13 Jul 2017 16:38:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289881#M34562 adonio 2017-07-13T16:38:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289882#M34563 <P>So I fixed my issue. I took the <CODE>local7</CODE> out of the monitor stanza, and, this is the most important change, I changed <CODE>recursive</CODE> to true.</P> Wed, 19 Jul 2017 16:52:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Reporting-only-one-unique-device/m-p/289882#M34563 cboillot 2017-07-19T16:52:52Z