Hello I'm new to Splunk and I've been given the task to add new types of devices to our Splunk delployment. This includes creating dashboards to be able to find the information we want to know quicker. Now Currently we use many different devices, Cisco, Juniper and Calix to name a few. We capture all of the information using the same source.
Now what I want to do is create different dashboards for the different types of devices on the network. So you can look at all the different errors or other troubles coming in on certain devices. I tried tagging a few device based on hostname but this seems impractical and very long process. I also tried extracting fields on the various logs that come in. I find there's a lot of conflict since the devices use a different type of message format it causes conflicts when I try to extract fields.
Would it be easier to split up the devices by sending them to diffrent source ie udp xxx1 for cisco xxx2 for juniper and so forth. Or is there an easier way. I have the Cisco IOS app installed and I notice source type from cisco devices is set to Cisco IOS. Would it be easy to set something like that up for my other devices?
Think of sourcetype as a synonym for data format. Each source that uses a different data format should have its own sourcetype. The sourcetype definition can tell Splunk how to extract fields and how to normalize the field names (using FIELDALIAS, etc.).
Once you've cleaned up the data it should be easier to find the data you need for your dashboards.
--- If this reply helps you, Karma would be appreciated.