Basically, I need to make sure that, from syslog-ng servers, they are tagging the right source types and source addresses (not the syslog server IP but the Network Device IP) and forwarding this syslog info over to Splunk.
@yzaari: let's assume that your index=network, there are many ways to grab the info, I will list few here...
| metadata type=hosts index=network
| tstats values(host) as hosts, values(sourcetype) as sourcetypes where index=network
| tstats values(sourcetype) values(host) where index=network group by index
Thanks a lot this helpful.
I just don’t know why I am not seeing all of our devices in the network in the list.
Also I want to be able to use the Cisco networks dashboard and monitor all the devices in the network that are Cisco.
check your inputs.conf on your syslog(do you have any host_segement or host_regex in there)..
index=network | dedup host | table host (might give you hosts forwarding to that index)
