Getting Data In

How do you find other devices that are coming in from other source types within the networking index?

yzaari
New Member

Basically, I need to make sure that, from syslog-ng servers, they are tagging the right source types and source addresses (not the syslog server IP but the Network Device IP) and forwarding this syslog info over to Splunk.

0 Karma

prakash007
Builder

@yzaari: let's assume that your index=network, there are many ways to grab the info, I will list few here...

| metadata type=hosts index=network
| tstats values(host) as hosts, values(sourcetype) as sourcetypes where index=network
| tstats values(sourcetype) values(host) where index=network group by index

https://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Metadata

0 Karma

yzaari
New Member

Thanks a lot this helpful.
I just don’t know why I am not seeing all of our devices in the network in the list.
Also I want to be able to use the Cisco networks dashboard and monitor all the devices in the network that are Cisco.

0 Karma

prakash007
Builder

check your inputs.conf on your syslog(do you have any host_segement or host_regex in there)..
index=network | dedup host | table host (might give you hosts forwarding to that index)

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.