topic Extract routing information from cisco router in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Extract-routing-information-from-cisco-router/m-p/381436#M68795 <P>Hi folks, i hope somebody can help me.</P> <P>I have a network script running to pull in the routing config from my routers and having a terrible time extracting the fields i need.<BR /> I have some regex that works in regex101 but not in splunk for some reason when using 'rex field=_raw' at search time. Code so far is below but not perfect:</P> <PRE><CODE>^(?&lt;Code&gt;[\w\*\%\+]+)\s+(?&lt;route&gt;(\d{1,3}\.){3}\d{1,3}(\/\d+){0,1})\s.+?,\s+(?&lt;Interface&gt;[\w\-\.]+) </CODE></PRE> <P>I have fudged the ip addresses in the data sample below for obvious reasons and would greatly appreciate some help. Extractions required are:</P> <P>1 - Extract Codes (example L - local, ia - IS-IS inter area, * - candidate default) into a field called 'routing_codes'.<BR /> 2 - Extract individual routing code letters (examples S*, C, L etc...) into a field called 'route_code'. <BR /> 3 - Extract top level routing entry (examples 10.0.0.0/8, 99.0.0.0/32, 172.107.0.0/32) into field called 'iprange'<BR /> 4 - Extract individual routes (example 192.168.79.123, 172.111.242.196, 172.107.79.123) into feild called 'route'<BR /> 5 - Extract outgoing interfaces (example Vlan1, Vlan200, Loopback13) into field called 'interface'</P> <P>Data Sample:</P> <PRE><CODE>___________________________________________________________________________ 10/09/2018 17:15:25 : Started route_scraper Execute Command Script on Devices 4 devices selected Devices: 4 Errors: 0 ___________________________________________________________________________ router-r-s-71193-01 (10.2.199.98): show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 89.189.89.191 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 89.189.88.190 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.71.193.0/24 is directly connected, Vlan1 L 10.71.193.1/32 is directly connected, Vlan1 99.00.00.00/32 is subnetted, 1 subnets C 99.99.99.199 is directly connected, Virtual-Access1.1 172.168.0.0/32 is subnetted, 1 subnets C 172.168.80.31 is directly connected, Loopback10 172.168.0.0/32 is subnetted, 1 subnets C 172.168.242.253 is directly connected, Loopback13 192.168.80.0/32 is subnetted, 1 subnets C 192.168.80.31 is directly connected, Loopback1 ___________________________________________________________________________ router-r-s-72241-01 (10.2.199.99): show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 88.188.88.188 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 88.189.89.189 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.72.241.0/24 is directly connected, Vlan1 L 10.72.241.1/32 is directly connected, Vlan1 99.0.0.0/32 is subnetted, 1 subnets C 99.99.199.198 is directly connected, Virtual-Access1.1 172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.17.1.80/28 is directly connected, Vlan200 L 172.17.1.81/32 is directly connected, Vlan200 172.107.0.0/32 is subnetted, 1 subnets C 172.107.79.123 is directly connected, Loopback10 172.111.0.0/32 is subnetted, 1 subnets C 172.111.242.196 is directly connected, Loopback13 192.168.79.0/32 is subnetted, 1 subnets C 192.168.79.123 is directly connected, Loopback1 ___________________________________________________________________________ </CODE></PRE> <P>thanks</P> Tue, 29 Sep 2020 21:57:42 GMT smithjnick 2020-09-29T21:57:42Z Extract routing information from cisco router https://community.splunk.com/t5/Getting-Data-In/Extract-routing-information-from-cisco-router/m-p/381436#M68795 <P>Hi folks, i hope somebody can help me.</P> <P>I have a network script running to pull in the routing config from my routers and having a terrible time extracting the fields i need.<BR /> I have some regex that works in regex101 but not in splunk for some reason when using 'rex field=_raw' at search time. Code so far is below but not perfect:</P> <PRE><CODE>^(?&lt;Code&gt;[\w\*\%\+]+)\s+(?&lt;route&gt;(\d{1,3}\.){3}\d{1,3}(\/\d+){0,1})\s.+?,\s+(?&lt;Interface&gt;[\w\-\.]+) </CODE></PRE> <P>I have fudged the ip addresses in the data sample below for obvious reasons and would greatly appreciate some help. Extractions required are:</P> <P>1 - Extract Codes (example L - local, ia - IS-IS inter area, * - candidate default) into a field called 'routing_codes'.<BR /> 2 - Extract individual routing code letters (examples S*, C, L etc...) into a field called 'route_code'. <BR /> 3 - Extract top level routing entry (examples 10.0.0.0/8, 99.0.0.0/32, 172.107.0.0/32) into field called 'iprange'<BR /> 4 - Extract individual routes (example 192.168.79.123, 172.111.242.196, 172.107.79.123) into feild called 'route'<BR /> 5 - Extract outgoing interfaces (example Vlan1, Vlan200, Loopback13) into field called 'interface'</P> <P>Data Sample:</P> <PRE><CODE>___________________________________________________________________________ 10/09/2018 17:15:25 : Started route_scraper Execute Command Script on Devices 4 devices selected Devices: 4 Errors: 0 ___________________________________________________________________________ router-r-s-71193-01 (10.2.199.98): show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 89.189.89.191 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 89.189.88.190 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.71.193.0/24 is directly connected, Vlan1 L 10.71.193.1/32 is directly connected, Vlan1 99.00.00.00/32 is subnetted, 1 subnets C 99.99.99.199 is directly connected, Virtual-Access1.1 172.168.0.0/32 is subnetted, 1 subnets C 172.168.80.31 is directly connected, Loopback10 172.168.0.0/32 is subnetted, 1 subnets C 172.168.242.253 is directly connected, Loopback13 192.168.80.0/32 is subnetted, 1 subnets C 192.168.80.31 is directly connected, Loopback1 ___________________________________________________________________________ router-r-s-72241-01 (10.2.199.99): show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 88.188.88.188 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 88.189.89.189 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.72.241.0/24 is directly connected, Vlan1 L 10.72.241.1/32 is directly connected, Vlan1 99.0.0.0/32 is subnetted, 1 subnets C 99.99.199.198 is directly connected, Virtual-Access1.1 172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.17.1.80/28 is directly connected, Vlan200 L 172.17.1.81/32 is directly connected, Vlan200 172.107.0.0/32 is subnetted, 1 subnets C 172.107.79.123 is directly connected, Loopback10 172.111.0.0/32 is subnetted, 1 subnets C 172.111.242.196 is directly connected, Loopback13 192.168.79.0/32 is subnetted, 1 subnets C 192.168.79.123 is directly connected, Loopback1 ___________________________________________________________________________ </CODE></PRE> <P>thanks</P> Tue, 29 Sep 2020 21:57:42 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-routing-information-from-cisco-router/m-p/381436#M68795 smithjnick 2020-09-29T21:57:42Z