Solved: Re: How to modify the network devices which are po...

Hemnaath · ‎09-19-2017

Hi All, Currently I have request from the network team that they wanted to point the site 03r & 04r from index=net sourcetype=cisco:network:router to index=net sourcetype=cisco:network:switch .

I could see there 35 devices currently pointing to the index=net sourcetype=cisco:network:router which needs to be pointed to index=net sourcetype=cisco:network:switch.

device names to be moved to the index=net sourcetype=cisco:network:switch from index=net sourcetype=cisco:network:router
xxxxxx03r
uxxxxx03r
xxxxxx03r
uxxxxx03r-vlan200

uxxxxx04r
uxxxxx04r
uxxxxx04r
cxxxxxx04r

details inputs.conf

[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4

[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

kindly guide me how to reconfigure network device to point to index=net sourcetype=cisco:network:switch instead of index=net sourcetype=cisco:network:router.

thanks in advance.

somesoni2 · ‎09-19-2017

Try this for inputs.conf

#Monitoring router.log from all devices except one with  03r or 04r
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
blacklist = network\/\w{3}0(3|4)r

#Monitoring router.log from only one with  03r or 04r
[monitor:///opt/syslogs/network/\w*0(3r|4r)*/router.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

View solution in original post

somesoni2 · ‎09-19-2017

Try this for inputs.conf

#Monitoring router.log from all devices except one with  03r or 04r
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
blacklist = network\/\w{3}0(3|4)r

#Monitoring router.log from only one with  03r or 04r
[monitor:///opt/syslogs/network/\w*0(3r|4r)*/router.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

Hemnaath · ‎09-21-2017

Hi Somesoni2 thanks for your effort on this, Can we update the below monitoring stanza to capture only 03r and 04r router.log and map it to sourcetype = cisco:network:switch as you had mentioned in your comment.

Below is the path from where the splunk is reading the data and this data are collected in centralized syslog server which is also a Heavy Forwarder instance.

/opt/syslogs/network/axxxx03r/router.log
/opt/syslogs/network/bxxx304r/router.log
/opt/syslogs/network/csxxxx03r-vlan200/router.log
/opt/syslogs/network/atxxx03r.xxxx.com/router.log
/opt/syslogs/network/uxxxxx04r/router.log

[monitor:///opt/syslogs/network/\w*0(3r|4r)/router.log]
index=net
sourcetype=cisco:network:switch
host_segment=4

\w is used to matches any single character as a word, but not sure about
" \w*0(3r|4r)/router.log " as what it will do, is it possible to throw some light on this, I am not good in regex.

thanks in advance.

Hemnaath · ‎09-25-2017

Hi Somesoni2 thanks for your effort on this, hey the above stanza which you had mentioned worked and I could see that device 03r and 04r data are captured under index=net sourcetype=cisco:network:switch and other device 01r and 02r data are captured under index=net sourcetype=cisco:network:router.

I had done small change in the regex instead of blacklist = network\/\w{3}0(3|4)r
I have used * wild card blacklist = network\/\w*0(3|4)r

thanks a lot.

Hemnaath · ‎09-26-2017

Hi somesoni2, how to convert this to answer ?

thanks in advance.

somesoni2 · ‎09-26-2017

Here you go.

richgalloway · ‎09-19-2017

In addition to what somesoni2 said, the already-indexed data cannot be changed. Until the existing data ages out, you will need to search for BOTH sourcetype=cisco:network:router and sourcetype=cisco:network:switch to find all of the devices. A macro will make that easy.

---
If this reply helps you, Karma would be appreciated.

Hemnaath · ‎09-19-2017

Hi richgalloway, but can we create a new inputs stanza and start pointing the future log data from device name 03r and 04r to this new sourcetype=cisco:network:switch. Will there will be any impact on this.

As the network team is asking to reconfigure the devices 03r and 04r to point sourcetype=cisco:network:switch instead of sourcetype=cisco:network:router.

Kindly guide me on this.

richgalloway · ‎09-19-2017

Yes, you can do that. The impact is minor. Once you change the inputs.conf file, new data will be indexed with the new cisco:network:switch sourcetype, but devices will still exist in the index with the old sourcetype. Any searches for the devices should specify index=net (sourcetype=cisco:network:router OR sourcetype=cisco:network:switch) | ...

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎09-19-2017

Just change the sourcetype=cisco:network:router to sourcetype=cisco:network:switch in your input stanza 1 for router.log.

Hemnaath · ‎09-19-2017

Hi Somesoni2 thanks for your effort on this, currently we have all these devices name xxx01r, xxx02r, xxx03r , xxx04r , xxxx01psr and xxxx-inside-xsx-failover-vlan201 are pointing to the below inputs.conf

[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4

But the network team wants to have the device name xxx03r and xxx04r data alone to be pointed to index=net sourcetype=cisco:network:switch. And there are totally 35 devices with 03r and 04r name.
so how to move only these device 03r and 04r to point to index=net sourcetype=cisco:network:switch.
keeping the rest of the devices to point to index=net sourcetype=cisco:network:router.

Please guide me on this.

How to modify the network devices which are pointing from one sourcetype to another sourcetype in the same index?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!