I would like to group network devices types in some way so that I can easily view all events for a particular type of device. For example, device types would be:
I'd like to be able to:
View/search through all switch logs without seeing router logs
View/search through all network load balancer logs without seeing switch and router logs
Are tags the right approach to this? If so, how do I tag hosts en masse? Using the Splunk Web interface, searching, identifying each host and tagging it would take forever.
Ideas?
You need some method of differentiating the devices from one another, tagging is one way that could work. I have seen companies implement a global naming standard to indicate the type of the device in the host & dns name, which could then be extracted from the host field into its own field. Then your search would just include the new field (i.e.: type=switch). Are all of your events syslog? If the format of the events are different between device types you could use props & transforms to change the sourcetype based on a regex you match in the event. I would bet the load balancer syslog looks different from the router/switch syslog however if the router & switch syslog look similar in format your best bet would be the tagging or renaming of the device.