Getting Data In

Extract routing information from cisco router

smithjnick
Path Finder

Hi folks, i hope somebody can help me.

I have a network script running to pull in the routing config from my routers and having a terrible time extracting the fields i need.
I have some regex that works in regex101 but not in splunk for some reason when using 'rex field=_raw' at search time. Code so far is below but not perfect:

^(?<Code>[\w\*\%\+]+)\s+(?<route>(\d{1,3}\.){3}\d{1,3}(\/\d+){0,1})\s.+?,\s+(?<Interface>[\w\-\.]+)

I have fudged the ip addresses in the data sample below for obvious reasons and would greatly appreciate some help. Extractions required are:

1 - Extract Codes (example L - local, ia - IS-IS inter area, * - candidate default) into a field called 'routing_codes'.
2 - Extract individual routing code letters (examples S*, C, L etc...) into a field called 'route_code'.
3 - Extract top level routing entry (examples 10.0.0.0/8, 99.0.0.0/32, 172.107.0.0/32) into field called 'iprange'
4 - Extract individual routes (example 192.168.79.123, 172.111.242.196, 172.107.79.123) into feild called 'route'
5 - Extract outgoing interfaces (example Vlan1, Vlan200, Loopback13) into field called 'interface'

Data Sample:

___________________________________________________________________________

10/09/2018 17:15:25 : Started route_scraper

Execute Command Script on Devices
4 devices selected


Devices: 4
Errors: 0
___________________________________________________________________________

router-r-s-71193-01 (10.2.199.98):

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is 89.189.89.191 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 89.189.88.190
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.71.193.0/24 is directly connected, Vlan1
L        10.71.193.1/32 is directly connected, Vlan1
      99.00.00.00/32 is subnetted, 1 subnets
C        99.99.99.199 is directly connected, Virtual-Access1.1
      172.168.0.0/32 is subnetted, 1 subnets
C        172.168.80.31 is directly connected, Loopback10
      172.168.0.0/32 is subnetted, 1 subnets
C        172.168.242.253 is directly connected, Loopback13
      192.168.80.0/32 is subnetted, 1 subnets
C        192.168.80.31 is directly connected, Loopback1


___________________________________________________________________________

router-r-s-72241-01 (10.2.199.99):

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is 88.188.88.188 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 88.189.89.189
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.72.241.0/24 is directly connected, Vlan1
L        10.72.241.1/32 is directly connected, Vlan1
      99.0.0.0/32 is subnetted, 1 subnets
C        99.99.199.198 is directly connected, Virtual-Access1.1
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.1.80/28 is directly connected, Vlan200
L        172.17.1.81/32 is directly connected, Vlan200
      172.107.0.0/32 is subnetted, 1 subnets
C        172.107.79.123 is directly connected, Loopback10
      172.111.0.0/32 is subnetted, 1 subnets
C        172.111.242.196 is directly connected, Loopback13
      192.168.79.0/32 is subnetted, 1 subnets
C        192.168.79.123 is directly connected, Loopback1


___________________________________________________________________________

thanks

Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...