Getting Data In

Extract routing information from cisco router

smithjnick
Path Finder

Hi folks, i hope somebody can help me.

I have a network script running to pull in the routing config from my routers and having a terrible time extracting the fields i need.
I have some regex that works in regex101 but not in splunk for some reason when using 'rex field=_raw' at search time. Code so far is below but not perfect:

^(?<Code>[\w\*\%\+]+)\s+(?<route>(\d{1,3}\.){3}\d{1,3}(\/\d+){0,1})\s.+?,\s+(?<Interface>[\w\-\.]+)

I have fudged the ip addresses in the data sample below for obvious reasons and would greatly appreciate some help. Extractions required are:

1 - Extract Codes (example L - local, ia - IS-IS inter area, * - candidate default) into a field called 'routing_codes'.
2 - Extract individual routing code letters (examples S*, C, L etc...) into a field called 'route_code'.
3 - Extract top level routing entry (examples 10.0.0.0/8, 99.0.0.0/32, 172.107.0.0/32) into field called 'iprange'
4 - Extract individual routes (example 192.168.79.123, 172.111.242.196, 172.107.79.123) into feild called 'route'
5 - Extract outgoing interfaces (example Vlan1, Vlan200, Loopback13) into field called 'interface'

Data Sample:

___________________________________________________________________________

10/09/2018 17:15:25 : Started route_scraper

Execute Command Script on Devices
4 devices selected


Devices: 4
Errors: 0
___________________________________________________________________________

router-r-s-71193-01 (10.2.199.98):

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is 89.189.89.191 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 89.189.88.190
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.71.193.0/24 is directly connected, Vlan1
L        10.71.193.1/32 is directly connected, Vlan1
      99.00.00.00/32 is subnetted, 1 subnets
C        99.99.99.199 is directly connected, Virtual-Access1.1
      172.168.0.0/32 is subnetted, 1 subnets
C        172.168.80.31 is directly connected, Loopback10
      172.168.0.0/32 is subnetted, 1 subnets
C        172.168.242.253 is directly connected, Loopback13
      192.168.80.0/32 is subnetted, 1 subnets
C        192.168.80.31 is directly connected, Loopback1


___________________________________________________________________________

router-r-s-72241-01 (10.2.199.99):

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is 88.188.88.188 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 88.189.89.189
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.72.241.0/24 is directly connected, Vlan1
L        10.72.241.1/32 is directly connected, Vlan1
      99.0.0.0/32 is subnetted, 1 subnets
C        99.99.199.198 is directly connected, Virtual-Access1.1
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.1.80/28 is directly connected, Vlan200
L        172.17.1.81/32 is directly connected, Vlan200
      172.107.0.0/32 is subnetted, 1 subnets
C        172.107.79.123 is directly connected, Loopback10
      172.111.0.0/32 is subnetted, 1 subnets
C        172.111.242.196 is directly connected, Loopback13
      192.168.79.0/32 is subnetted, 1 subnets
C        192.168.79.123 is directly connected, Loopback1


___________________________________________________________________________

thanks

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...