All Apps and Add-ons

How to extract the host and dvc field with the Cisco ios TA

hfernandez_
Path Finder

Hi Answers,

I'm currently using the following apps:
Cisco Networks App for Splunk Enterprise 2.5.8 (https://splunkbase.splunk.com/app/1352/)
Cisco Networks Add-on for Splunk Enterprise 2.5.8(https://splunkbase.splunk.com/app/1467/)

I'm collecting the logs from the devices via syslog:

Here is how the raw log looks in Splunk:
Oct 9 16:14:04 syslog-server.domain.com 1 aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:13:56.935: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*

syslog-server.domain.com = syslog server (some device names have "-" in them)
aa-bbbb-ccc = device (some device names have "-" in them)

Splunk extracts the host=syslog-server.domain.com and dvc=syslog-server.domain.com. When I apply the syslog-header-stripper-ts-host to both the props.conf and transforms.conf, but that doesn't change the host and dvc values.

TA-cisco_ios\props.conf
[source::udp:514]
TRANSFORMS-strip-syslog = syslog-header-stripper-ts-host
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 100
TA-cisco_ios\transforms.conf
# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX         = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s\d\s(.*)$
FORMAT        = $1
DEST_KEY      = _raw

The syslog-header-stripper-ts-host data looks like:
aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:09:56.926: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*

In this case the host and dvc still are set to syslog-server.domain.com. How do I change the value of host and dvc to aa-bbbb-ccc ?

I appreciate the help.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi hfernandez_hfernandez_,
I'm not sure about your regex because I cannot read it, please use the Code Sample button (the one with 101010), so I give you my regex for host field that you have to extract at index time:

^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)

that you can test at https://regex101.com/r/iOnbKJ/1

Then at search time you can extract the dvc field with this regex:

^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<dvc>[^ ]*)

that you can test at https://regex101.com/r/iOnbKJ/2

In addition, where do you deployed this TA?
it must be on Indexers.

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi hfernandez_hfernandez_,
I'm not sure about your regex because I cannot read it, please use the Code Sample button (the one with 101010), so I give you my regex for host field that you have to extract at index time:

^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)

that you can test at https://regex101.com/r/iOnbKJ/1

Then at search time you can extract the dvc field with this regex:

^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<dvc>[^ ]*)

that you can test at https://regex101.com/r/iOnbKJ/2

In addition, where do you deployed this TA?
it must be on Indexers.

Bye.
Giuseppe

0 Karma

hfernandez_
Path Finder

Hi Giuseppe,

I appreciate the reply and guidance. The sample code comes from the etc/system/default/transforms.conf file under the stanza:

# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX         = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s(.*)$
FORMAT        = $1
DEST_KEY      = _raw

Ah, here's more background info. We have Splunk Cloud and the app and TA are installed to both Cloud SHs and INDs. The syslog data is being sent to an on-prem HF via UDP port and I'm configuring the TA there. The challenge is that the App Dashboards show the host and dvc as the syslog server vs the actual network device. I would simply change the field name in the code, but the actual device name is not capture. How do I go about setting the host and/or dvc to the actual device name at index time in the TA? I appreciate it.

0 Karma

hfernandez_
Path Finder

Ok, I was able to get it to work. I applied your regex and the the following code to the the TA's props.conf and transforms.conf files. Here is the code:

TA-cisco_ios\props.conf

[source::udp:514]
TRANSFORMS-force_host= force_real_host 

and

    TA-cisco_ios\transforms.conf

    [force_real_host]
    REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)
    FORMAT = host::$1
    DEST_KEY = MetaData:Host

I appreciate the help. Hope this helps others.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi hfernandez_,
did you solved?
Bye.
Giuseppe

0 Karma

hfernandez_
Path Finder

Hi Giuseppe,
Yes, I was able to put together all the pieces and got it to work. I appreciate the help in pointing me in the right direction.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...