All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Reporting only one unique device

cboillot
Contributor
‎07-05-2017 08:24 AM

The dashboard is only showing me that I have 1 unique device. Digging into it, It looks like it is seeing the syslog server as the only device. I notice that some of the fields do have a "reported_hostname" field. How do I get those entries have have this to show this as the host field?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cboillot
Contributor
‎07-19-2017 09:54 AM

So I fixed my issue. I took the local7 out of the monitor stanza, and, this is the most important change, I changed recursive to true.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cboillot
Contributor
‎07-19-2017 09:54 AM

So I fixed my issue. I took the local7 out of the monitor stanza, and, this is the most important change, I changed recursive to true.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-05-2017 09:19 AM

please provide more info, what kind of devices are those?
are you using any of the pre-built splunk apps?
also might be related to how you write data to syslog
hope it slightly helps

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-05-2017 09:51 AM

several different kinds. we have routers, switches, ASAs, ect.

We are using the "Cisco Networks App for Splunk Enterprise" and the "Splunk Add-on for Cisco Networks"

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-05-2017 10:07 AM

how do you bring the data from syslog to splunk? universal forwarder? directly over TCP / UDP?

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-05-2017 10:14 AM

universal forwarder

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-05-2017 10:16 AM

what is the sourcetype you have under your inputs stanza?

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-05-2017 10:23 AM

cisco:ios

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-05-2017 10:38 AM

do you have the TA installed?
https://splunkbase.splunk.com/app/1467/#/details

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-05-2017 12:10 PM

Yes, it is showing as being installed. Version 2.3.4.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-05-2017 06:29 PM

can you kindly share your inputs.conf on the forwarder?

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-06-2017 06:29 AM 
[default]
ignoreOlderThan = 10d
blacklist = \.(gz|bz2|z|zip)$
recursive = false
index = main

[monitor:///var/agency_logs/AgencySyslog]
sourcetype=cisco:ios
0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-06-2017 10:21 AM

are all devices placing their data in one folder, AgencySyslog?

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-06-2017 01:47 PM

They are all placing their data into the single file AgencySyslog.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-06-2017 06:06 PM

i believe this link will l be helpful:
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
worthwhile to look at those as well:
http://www.georgestarcher.com/splunk-success-with-syslog/
https://www.function1.com/2012/05/syslog-collection-with-splunk
hope it helps

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-10-2017 06:47 AM

I will pass this information along and see what happens. Thank you.

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-13-2017 08:19 AM

so, they redid the directories and now we have this:

/var/agency_logs/cisco/ios/<hostname>/<syslogfacility-text>/<syslogseverity-text>/<year-month-day>.log

and I have that entered in as 

[monitor:///var/agency_logs/cisco/ios/*/local7/*/*.log]
host_segment = 5

However, these are not being pulled in for some reason.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-13-2017 08:32 AM

try this:
[monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log]
host_segment = 5

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-13-2017 09:28 AM

Done. But it still isn't pulling the data in.

here is my inputs.conf file:

[default]

ignoreOlderThan = 10d
blacklist = \.(gz|bz2|z|zip)$
recursive = false
index = main
# index = enterprise_90days
sourcetype = cisco:ios
crcSalt = <SOURCE>

# Windows platform specific input processor.

[monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log]
host_segment = 5

# [monitor:///var/agency_logs/AgencySyslogWLC]

# [monitor:///var/agency_logs/AgencySyslog]
0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-13-2017 09:38 AM

can you double check the full path to file and compare with examples here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Specifyinputpathswithwildcards

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-19-2017 09:52 AM

So I fixed my issue. I took the local7 out of the monitor stanza, and, this is the most important change, I changed recursive to true.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...