Solved: Reporting only one unique device

cboillot · ‎07-05-2017

The dashboard is only showing me that I have 1 unique device. Digging into it, It looks like it is seeing the syslog server as the only device. I notice that some of the fields do have a "reported_hostname" field. How do I get those entries have have this to show this as the host field?

cboillot · ‎07-19-2017

So I fixed my issue. I took the local7 out of the monitor stanza, and, this is the most important change, I changed recursive to true.

View solution in original post

cboillot · ‎07-19-2017

So I fixed my issue. I took the local7 out of the monitor stanza, and, this is the most important change, I changed recursive to true.

adonio · ‎07-05-2017

please provide more info, what kind of devices are those?
are you using any of the pre-built splunk apps?
also might be related to how you write data to syslog
hope it slightly helps

cboillot · ‎07-05-2017

several different kinds. we have routers, switches, ASAs, ect.

We are using the "Cisco Networks App for Splunk Enterprise" and the "Splunk Add-on for Cisco Networks"

adonio · ‎07-05-2017

how do you bring the data from syslog to splunk? universal forwarder? directly over TCP / UDP?

cboillot · ‎07-05-2017

universal forwarder

adonio · ‎07-05-2017

what is the sourcetype you have under your inputs stanza?

cboillot · ‎07-05-2017

cisco:ios

adonio · ‎07-05-2017

do you have the TA installed?
https://splunkbase.splunk.com/app/1467/#/details

cboillot · ‎07-05-2017

Yes, it is showing as being installed. Version 2.3.4.

adonio · ‎07-05-2017

can you kindly share your inputs.conf on the forwarder?

cboillot · ‎07-06-2017

[default]
ignoreOlderThan = 10d
blacklist = \.(gz|bz2|z|zip)$
recursive = false
index = main

[monitor:///var/agency_logs/AgencySyslog]
sourcetype=cisco:ios

adonio · ‎07-06-2017

are all devices placing their data in one folder, AgencySyslog?

cboillot · ‎07-06-2017

They are all placing their data into the single file AgencySyslog.

adonio · ‎07-06-2017

i believe this link will l be helpful:
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
worthwhile to look at those as well:
http://www.georgestarcher.com/splunk-success-with-syslog/
https://www.function1.com/2012/05/syslog-collection-with-splunk
hope it helps

cboillot · ‎07-10-2017

I will pass this information along and see what happens. Thank you.

cboillot · ‎07-13-2017

so, they redid the directories and now we have this:

/var/agency_logs/cisco/ios/<hostname>/<syslogfacility-text>/<syslogseverity-text>/<year-month-day>.log

and I have that entered in as

[monitor:///var/agency_logs/cisco/ios/*/local7/*/*.log]
host_segment = 5

However, these are not being pulled in for some reason.

adonio · ‎07-13-2017

try this:
[monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log]
host_segment = 5

cboillot · ‎07-13-2017

Done. But it still isn't pulling the data in.

here is my inputs.conf file:

[default]

ignoreOlderThan = 10d
blacklist = \.(gz|bz2|z|zip)$
recursive = false
index = main
# index = enterprise_90days
sourcetype = cisco:ios
crcSalt = <SOURCE>

# Windows platform specific input processor.

[monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log]
host_segment = 5

# [monitor:///var/agency_logs/AgencySyslogWLC]

# [monitor:///var/agency_logs/AgencySyslog]

adonio · ‎07-13-2017

can you double check the full path to file and compare with examples here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Specifyinputpathswithwildcards

cboillot · ‎07-19-2017

So I fixed my issue. I took the local7 out of the monitor stanza, and, this is the most important change, I changed recursive to true.

Reporting only one unique device

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio