Hi All, My exact requirement, currently we need to route two router devices at the site 03r and 04r point to index=net sourcetype=cisco:network:router to index=net sourcetype=cisco:network:switch .
We have all these devices name uxx01r, bxx02r, mxx03r , uxx04r , dxxx01psr and usxxx-inside-xsx-failover-vlan201 are pointing to the below index=net sourcetype=cisco:network:router. But network team wants to have the device name mxx03r and uxx04r data alone to be pointed to index=net sourcetype=cisco:network:switch. And there are totally 35 devices with name ending 03r and 04r names.
Current input stanza.
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4
Kindly guide how to black list the device ending with the host name 03r and 04r index=net sourcetype=cisco:network:switch and keep others devices pointing index=net sourcetype=cisco:network:router.
Please provide me the regex that can black list these devices ending with 03r and 04r.
Like this
blacklist = ^.*03r$|^.*04r$
A bit similar case at How to blacklist two different hosts in inputs.conf?
Hi All, I have used the below regex to black list device data being captured from 03r and 04r to index=net index=net sourcetype=cisco:network:router.
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
blacklist = network\/\w*0(3|4)r
Created a separate stanza for pointing the 3r and 04r device data to index=net sourcetype=cisco:network:switch
[monitor:///opt/syslogs/network/\w*0(3r|4r)/router.log]
index=net
sourcetype=cisco:network:switch
host_segment=4
It worked in our environment.