I am extracting logs from the results of a screen scrape on Cisco load balancers. I used to use some Perl code to pre-parse the data, but I am trying to port that functionality into Splunk. Below is a some same output:
slb/prod16# show service-policy LB123ABC_POLICY detail
Status : ACTIVE
Interface: vlan 1180 4713 6404
class: L4_SSL-123_ABC_CLASS_DEV ssl-proxy server: NEW-SSL-PROXY VIP Address: Protocol: Port: 10.47.15.16 tcp eq 443 loadbalance: L7 loadbalance policy: L7_SSL-123_ABC_POLICY VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : ENABLED-WHEN-ACTIVE VIP State: INSERVICE curr conns : 780 , hit count : 1251767 dropped conns : 159774 client pkt count : 21301490 , client byte count: 2624639829 server pkt count : 26552109 , server byte count: 28101998657 conn-rate-limit : 0 , drop-count : 0 bandwidth-rate-limit : 0 , drop-count : 0 L7 Loadbalance policy : L7_SSL-123_ABC_POLICY class/match : class-default ssl-proxy client : SSL_PSRVICE_CLIENT LB action: : primary serverfarm: prod.thingy:30011 state: UP backup serverfarm : - hit count : 1244324 dropped conns : 1 class: prod.thingy:30010 VIP Address: Protocol: Port: 10.47.15.16 tcp eq 80 loadbalance: L7 loadbalance policy: prod.thingy:8010 VIP Route Metric : 77 VIP Route Advertise : DISABLED VIP ICMP Reply : ENABLED VIP State: INSERVICE curr conns : 602 , hit count : 308787 dropped conns : 35 client pkt count : 1526460 , client byte count: 130340865 server pkt count : 1224022 , server byte count: 208605432 conn-rate-limit : 0 , drop-count : 0 bandwidth-rate-limit : 0 , drop-count : 0 L7 Loadbalance policy : prod.thingy:8010 class/match : class-default LB action: : primary serverfarm: prod.thingy:30010 state: UP backup serverfarm : - hit count : 308784 dropped conns : 0
This is the detail of two Classes, but IRL, there are many more Classes listed one after another. I am trying to map the "class:" name with the corresponding "curr conns" that follows.
Is this possible? I am thinking that I would be able to grab the other data points if it is ever requested in the future. Would I be better off pre-parsing the data, like I have in the past?
Sounds like you should either:
You can probably get away with doing some fancy regexes, but you will need to use the multivalue field parameters (MVADD in config files, maxmatches when using rex).