Solved: How to modify the network devices which are pointi... - Page 2

Hemnaath · ‎09-19-2017

Hi All, Currently I have request from the network team that they wanted to point the site 03r & 04r from index=net sourcetype=cisco:network:router to index=net sourcetype=cisco:network:switch .

I could see there 35 devices currently pointing to the index=net sourcetype=cisco:network:router which needs to be pointed to index=net sourcetype=cisco:network:switch.

device names to be moved to the index=net sourcetype=cisco:network:switch from index=net sourcetype=cisco:network:router
xxxxxx03r
uxxxxx03r
xxxxxx03r
uxxxxx03r-vlan200

uxxxxx04r
uxxxxx04r
uxxxxx04r
cxxxxxx04r

details inputs.conf

[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4

[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

kindly guide me how to reconfigure network device to point to index=net sourcetype=cisco:network:switch instead of index=net sourcetype=cisco:network:router.

thanks in advance.

somesoni2 · ‎09-19-2017

Try this for inputs.conf

#Monitoring router.log from all devices except one with  03r or 04r
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
blacklist = network\/\w{3}0(3|4)r

#Monitoring router.log from only one with  03r or 04r
[monitor:///opt/syslogs/network/\w*0(3r|4r)*/router.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4

View solution in original post

How to modify the network devices which are pointing from one sourcetype to another sourcetype in the same index?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!