Skip to main content

Network device data

  • Updated

Network device log data is a type of data that reflects the internal state of the device and the status of its configuration and main functions. For example, in the case of a network switch, this includes the amount of traffic flow, packet drops, and transmission error rates. Common network devices are switches, routers, modems, hubs, repeaters, and access points. While often these are physical hardware, devices can also be implemented in software and referred to as software-defined networking. One example is a software-defined switch. 

Data visibility 

This data is used for troubleshooting the operations of the device and to confirm configuration settings that influence the functionality the device is designed to deliver. Examples include mismatched duplex settings, up and down state of ports, routing, and operating conditions such as temperature and power. 

How can I use this data?

When your Splunk deployment is ingesting Network device log data, you can use the data to achieve objectives related to the following use cases:

High-value fields

This data type has many available fields, but users typically derive the most value out of the fields listed here.

alarm

Alarm type descriptor that indicates an alarm condition is true and the field value is named the alarm type. 

dst_mac

Media access control (mac) address at the destination of the event.

dvc

Device identifier, usually an IP address or a host name. 

mnemonic

Field with a human readable and searchable system message condensed to one word.

port

Port involved in the event. Could be a configuration status or alarm status or other status. Knowing the port helps to identify where changes may be needed.

severity

Indicator of the importance of a condition or alarm. 

src_mac

Media access control (MAC) address at the source of the event.

Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, Network device log data is typically mapped to the Network Traffic and Change data models.

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.

Data Source

Sourcetype

Recommend Add-Ons

Forcepoint

sourcetype="websense:cg:kv"

Splunk Add-on for Forcepoint Web Security

Websense

sourcetype="websense:dlp:system:cef"

Splunk Add-on for Websense DLP

McAfee

sourcetype="mcafee:wg:kv"

Splunk Add-on for McAfee Web Gateway

Cisco

sourcetype="cisco:wsa:l4tm"

Splunk Add-on for Cisco WSA

Cisco

sourcetype=”cisco:iso”

Cisco Networks Add-on for Splunk Enterprise

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.