How should I group my network device types so I ca...

mjshoaf · ‎06-18-2015

I would like to group network devices types in some way so that I can easily view all events for a particular type of device. For example, device types would be:

Switches
Routers
Network load balancers

I'd like to be able to:

View/search through all switch logs without seeing router logs
View/search through all network load balancer logs without seeing switch and router logs

Are tags the right approach to this? If so, how do I tag hosts en masse? Using the Splunk Web interface, searching, identifying each host and tagging it would take forever.

Ideas?

rphillips_splk · ‎06-21-2015

You need some method of differentiating the devices from one another, tagging is one way that could work. I have seen companies implement a global naming standard to indicate the type of the device in the host & dns name, which could then be extracted from the host field into its own field. Then your search would just include the new field (i.e.: type=switch). Are all of your events syslog? If the format of the events are different between device types you could use props & transforms to change the sourcetype based on a regex you match in the event. I would bet the load balancer syslog looks different from the router/switch syslog however if the router & switch syslog look similar in format your best bet would be the tagging or renaming of the device.

How should I group my network device types so I can easily search and view all events only for a particular type?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...