All,
So there are situations where folks ask me to "check the logs on everything on subnet 1.2.3.x/25" Rather than by host. Especially with PCI.
Is there a meta data relationship stored in Splunk from the UF and the host name? What about syslog devices?
thanks in advance,
-Daniel
You can potentially create additional meta-data fields with logical separation of these subnets. It can be via the beloved sourcetype field or any other field which you create.
Ypu Pretty much has it right search would be.
Index=UrIndex Sourcetype=whateverursourceis 1.2.3.*
This will return all the traffic back for that subnet only