Solved: How to modify the network devices which are pointi... - Page 2

Hemnaath · ‎09-19-2017

Hi All, Currently I have request from the network team that they wanted to point the site 03r & 04r from index=net sourcetype=cisco:network:router to index=net sourcetype=cisco:network:switch .

I could see there 35 devices currently pointing to the index=net sourcetype=cisco:network:router which needs to be pointed to index=net sourcetype=cisco:network:switch.

device names to be moved to the index=net sourcetype=cisco:network:switch from index=net sourcetype=cisco:network:router
xxxxxx03r
uxxxxx03r
xxxxxx03r
uxxxxx03r-vlan200

uxxxxx04r
uxxxxx04r
uxxxxx04r
cxxxxxx04r

details inputs.conf

[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4

[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

kindly guide me how to reconfigure network device to point to index=net sourcetype=cisco:network:switch instead of index=net sourcetype=cisco:network:router.

thanks in advance.

somesoni2 · ‎09-19-2017

Try this for inputs.conf

#Monitoring router.log from all devices except one with  03r or 04r
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
blacklist = network\/\w{3}0(3|4)r

#Monitoring router.log from only one with  03r or 04r
[monitor:///opt/syslogs/network/\w*0(3r|4r)*/router.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

View solution in original post

How to modify the network devices which are pointing from one sourcetype to another sourcetype in the same index?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor