topic Re: How to extract the host and dvc field with the Cisco ios TA in All Apps and Add-ons

How to extract the host and dvc field with the Cisco ios TA

hfernandez_ — Wed, 30 Sep 2020 02:25:42 GMT

Hi Answers,

I'm currently using the following apps:
Cisco Networks App for Splunk Enterprise 2.5.8 (https://splunkbase.splunk.com/app/1352/)
Cisco Networks Add-on for Splunk Enterprise 2.5.8(https://splunkbase.splunk.com/app/1467/)

I'm collecting the logs from the devices via syslog:

Here is how the raw log looks in Splunk:
Oct 9 16:14:04 syslog-server.domain.com 1 aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:13:56.935: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*

syslog-server.domain.com = syslog server (some device names have "-" in them)
aa-bbbb-ccc = device (some device names have "-" in them)

Splunk extracts the host=syslog-server.domain.com and dvc=syslog-server.domain.com. When I apply the syslog-header-stripper-ts-host to both the props.conf and transforms.conf, but that doesn't change the host and dvc values.

TA-cisco_ios\props.conf
[source::udp:514]
TRANSFORMS-strip-syslog = syslog-header-stripper-ts-host
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 100
TA-cisco_ios\transforms.conf
# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX         = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s\d\s(.*)$
FORMAT        = $1
DEST_KEY      = _raw

The syslog-header-stripper-ts-host data looks like:
aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:09:56.926: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*

In this case the host and dvc still are set to syslog-server.domain.com. How do I change the value of host and dvc to aa-bbbb-ccc ?

I appreciate the help.

Re: How to extract the host and dvc field with the Cisco ios TA

gcusello — Wed, 30 Sep 2020 02:31:03 GMT

Hi hfernandez_hfernandez_,
I'm not sure about your regex because I cannot read it, please use the Code Sample button (the one with 101010), so I give you my regex for host field that you have to extract at index time:

^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)

that you can test at https://regex101.com/r/iOnbKJ/1

Then at search time you can extract the dvc field with this regex:

^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<dvc>[^ ]*)

that you can test at https://regex101.com/r/iOnbKJ/2

In addition, where do you deployed this TA?
it must be on Indexers.

Bye.
Giuseppe

Re: How to extract the host and dvc field with the Cisco ios TA

hfernandez_ — Thu, 10 Oct 2019 15:14:44 GMT

Hi Giuseppe,

I appreciate the reply and guidance. The sample code comes from the etc/system/default/transforms.conf file under the stanza:

# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX         = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s(.*)$
FORMAT        = $1
DEST_KEY      = _raw

Ah, here's more background info. We have Splunk Cloud and the app and TA are installed to both Cloud SHs and INDs. The syslog data is being sent to an on-prem HF via UDP port and I'm configuring the TA there. The challenge is that the App Dashboards show the host and dvc as the syslog server vs the actual network device. I would simply change the field name in the code, but the actual device name is not capture. How do I go about setting the host and/or dvc to the actual device name at index time in the TA? I appreciate it.

Re: How to extract the host and dvc field with the Cisco ios TA

hfernandez_ — Thu, 10 Oct 2019 16:04:49 GMT

Ok, I was able to get it to work. I applied your regex and the the following code to the the TA's props.conf and transforms.conf files. Here is the code:

TA-cisco_ios\props.conf

[source::udp:514]
TRANSFORMS-force_host= force_real_host

and

    TA-cisco_ios\transforms.conf

    [force_real_host]
    REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)
    FORMAT = host::$1
    DEST_KEY = MetaData:Host

I appreciate the help. Hope this helps others.

Re: How to extract the host and dvc field with the Cisco ios TA

gcusello — Fri, 11 Oct 2019 07:15:01 GMT

Hi hfernandez_,
did you solved?
Bye.
Giuseppe

Re: How to extract the host and dvc field with the Cisco ios TA

hfernandez_ — Fri, 11 Oct 2019 14:41:08 GMT

Hi Giuseppe,
Yes, I was able to put together all the pieces and got it to work. I appreciate the help in pointing me in the right direction.