Splunk Search

How should I group my network device types so I can easily search and view all events only for a particular type?

mjshoaf
New Member

I would like to group network devices types in some way so that I can easily view all events for a particular type of device. For example, device types would be:

  • Switches
  • Routers
  • Network load balancers

I'd like to be able to:

View/search through all switch logs without seeing router logs
View/search through all network load balancer logs without seeing switch and router logs

Are tags the right approach to this? If so, how do I tag hosts en masse? Using the Splunk Web interface, searching, identifying each host and tagging it would take forever.

Ideas?

Tags (3)
0 Karma

rphillips_splun
Splunk Employee
Splunk Employee

You need some method of differentiating the devices from one another, tagging is one way that could work. I have seen companies implement a global naming standard to indicate the type of the device in the host & dns name, which could then be extracted from the host field into its own field. Then your search would just include the new field (i.e.: type=switch). Are all of your events syslog? If the format of the events are different between device types you could use props & transforms to change the sourcetype based on a regex you match in the event. I would bet the load balancer syslog looks different from the router/switch syslog however if the router & switch syslog look similar in format your best bet would be the tagging or renaming of the device.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!