Cisco IOS devices with highest log volume

You might need to compare log volume across your Cisco devices when doing the following:

• Managing Cisco devices

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

• Cisco Networks Add-on for Splunk Enterprise
• Syslog data collection tier. The Cisco IOS system message logging process uses the syslog protocol to send important messages to remote logging services, such as Splunk. The required add-on expects the data stream to be assigned the syslog sourcetype by the input configuration and will rename it to cisco:ios in the transformation configuration. For details on how the transformation is implemented, see the props.conf and transforms.conf in the add-on and the Splunk documentation. For more information on syslog and Splunk, see the (SYSLOG) Syslog Data Collection section of the Splunk Validated Architectures white paper.

Example

As network devices operate and route traffic, critical status information is regularly emitted via syslog. Hosts producing large volumes of syslog data can indicate a highly used device. However, the volume of syslog messages can also rise dramatically because of a network issue or misconfiguration. You want to identify which hosts are producing the largest volumes of syslog data and review the syslog messages to ensure the device is operating as expected. 

NOTE: To optimize the search shown below, you should specify an index and a time range. 

1. Run the following search: 

sourcetype=cisco:ios
| stats count sparkline(count,15m) AS trend BY host
| sort - count
| head 10
| table host trend count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Result

The result of this search shows the host and count of events over the last 15 minutes and includes a sparkline showing the trend for count.