Although we have multiple threads related to this topic, none are useful and confusing for newbies like me.
I have multiple Cisco devices (Routers, ASA firewall, ACS server) and all are sending syslog info directly to Splunk.
I'd really feel grateful if anybody can give step by step recommendation on how to view them separately?.
I am confused especially when the sourcetype and source are showing cisco:asa for all the devices that is being searched (say for example, i m looking logs for SMTP relay and it is showing sourcetype as ASA)
Please help me friends!
in search and repporting app
build 3 search:
1 with source=first source file who is in your index and save it like eventype Routers
index=my_index source=second_source_name save it like eventype asafirewall
3` index=myindex source=thirdsourcename` save it like eventype acs_server
This is most likely because all of your devices are sending to the UDP input on the Splunk server, and you have that UDP input configured as cisco:asa. There are a few options to change this:
1) Create different UDP inputs for each device type:
UDP/514 = cisco:asa
UDP/515 = cisco:ios
UDP/515 = cisco:acs
UDP/516 = myunixsyslogfeeds
2) Alternatively, you can configure props and transforms to assign the sourcetype based on a match against the host content.
See this article for more information : http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides
If you do either of the above, then at search time you can specifcy sourcetype=cisco:asa or sourcetype=cisco:acs etc.
@esix_splunk : OK, 1st option is good but still I would like to choose second option:
The document says:
Create a stanza in transforms.conf that follows this syntax:
 - my value here is ciscoacs & SMTP
REGEX = -
FORMAT = sourcetype:: -
DESTKEY = MetaData:Sourcetype
Could you please decode the above stanza for cisco acs and SMTP relay logs?