Splunk Search

How should I group my network device types so I can easily search and view all events only for a particular type?

mjshoaf
New Member

I would like to group network devices types in some way so that I can easily view all events for a particular type of device. For example, device types would be:

  • Switches
  • Routers
  • Network load balancers

I'd like to be able to:

View/search through all switch logs without seeing router logs
View/search through all network load balancer logs without seeing switch and router logs

Are tags the right approach to this? If so, how do I tag hosts en masse? Using the Splunk Web interface, searching, identifying each host and tagging it would take forever.

Ideas?

Tags (3)
0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

You need some method of differentiating the devices from one another, tagging is one way that could work. I have seen companies implement a global naming standard to indicate the type of the device in the host & dns name, which could then be extracted from the host field into its own field. Then your search would just include the new field (i.e.: type=switch). Are all of your events syslog? If the format of the events are different between device types you could use props & transforms to change the sourcetype based on a regex you match in the event. I would bet the load balancer syslog looks different from the router/switch syslog however if the router & switch syslog look similar in format your best bet would be the tagging or renaming of the device.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...