You might need to obtain an inventory of all devices that report network data when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
To collect SNMP traps in Splunk, you will need to run an snmptrapd server on a Linux or Windows machine to collect traps and write them to a file. After they are written to disk, you can configure the Universal Forwarder to read those files and forward them to Splunk; this configuration is outlined in our documentation.
You need broad network visibility to set the stage for availability monitoring and alerting should devices stop sending data. You know that the best place to start is obtaining an inventory of every device on the network.
To optimize the search shown below, you should specify an index and a time range.
- If you are switching to Splunk software from another vendor, front SC4S with the same IP address that your previous software used to collect syslog traffic. Doing so helps prevent the need to reconfigure all network devices and firewall rules that would be necessary to allow syslog traffic to flow to a new syslog receiver.
- Run the following search:
index IN (*) sourcetype IN (*) sc4s_vendor_product=* | stats count BY host, sourcetype, sc4s_vendor_product
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index IN (*) sourcetype IN (*) sc4s_vendor_product=*||Search all data coming into the Splunk Connect for Syslog app.|
|| stats count BY host, sourcetype, sc4s_vendor_product||Display a count of the source types and related products for each host on your network.|
To further restrict your search, limit the search to include only the source types associated with your networking devices. Use the results to determine what needs to be investigated further.