Splunk Search

How should I group my network device types so I can easily search and view all events only for a particular type?

mjshoaf
New Member

I would like to group network devices types in some way so that I can easily view all events for a particular type of device. For example, device types would be:

  • Switches
  • Routers
  • Network load balancers

I'd like to be able to:

View/search through all switch logs without seeing router logs
View/search through all network load balancer logs without seeing switch and router logs

Are tags the right approach to this? If so, how do I tag hosts en masse? Using the Splunk Web interface, searching, identifying each host and tagging it would take forever.

Ideas?

Tags (3)
0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

You need some method of differentiating the devices from one another, tagging is one way that could work. I have seen companies implement a global naming standard to indicate the type of the device in the host & dns name, which could then be extracted from the host field into its own field. Then your search would just include the new field (i.e.: type=switch). Are all of your events syslog? If the format of the events are different between device types you could use props & transforms to change the sourcetype based on a regex you match in the event. I would bet the load balancer syslog looks different from the router/switch syslog however if the router & switch syslog look similar in format your best bet would be the tagging or renaming of the device.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...