Knowledge Management

add devices into multiple groups

sherrysafdar
Explorer

We have 10 different sites and I would like to create a group for each site.

For example, I want to add SITE-A devices in SITE-A group and SITE-B devices in SITE-B group to be visible.

Please help, thanks!

Tags (1)
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

One way to do this is to create and automatic lookup. The structure of the CSV would be like so:

host,  group
host1, group1
host2, group1
host3, group1
host4, group2
host5, group3

With an automatic lookup, everytime you search on a sourcetype, the "group" field will be automatically added to every event.

Hope this helps

0 Karma

sherrysafdar
Explorer

Quick question is that possible using tags?

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

You could use "eventtypes" if you like. create an eventtype called "firewalls_texas" , "firewalls_california" etc

0 Karma

sherrysafdar
Explorer

I need to identify 192.168.100.1 as Texas_Firewall and 192.168.200.1 as California_Firewall.

This is what I am trying to accomplish.

And later if in future there are more firewalls in Texas I can simply add them to the Texas_Firewall group or whatever it is.

I am also quite not sure how can I be able to write the query at this point but need to accomplish first task first.

Thanks,

0 Karma

sherrysafdar
Explorer

Can you give an example for automatic lookup?

0 Karma

BainM
Communicator

Hi sherrysafdar -
Could you please be a little more specific? Where do the groups apply? Deployment Server groups? I could guess, but that won't help you.

0 Karma

sherrysafdar
Explorer

BainM, we have multiple Fortinet firewalls and we would like to separate each firewall in the search hope that clarify your question?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!