IT Operations Discussions
All the up-time. All the nines.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IOS-XR Configuration Changes

alpha76
New Member
‎08-12-2020 05:44 AM

Hi,

We would like our IOS-XR commits to be sent to Splunk, however we have been informed that it is not possible for Splunk to extract the data from the XR commit database.  Consequently, we have written an EEM/TCL script that runs a show configuration commit automatically once an admin commits a change.  We can see the output on the local device but they are not sent to splunk, every other log is received though.

This is the local device

RP/0/RSP0/CPU0:Aug 11 14:41:38.436 : tclsh[65916]: %HA-HA_EEM-6-ACTION_SYSLOG_LOG_INFO : commit_syslog.tcl: show config commit changes 1000000304
RP/0/RSP0/CPU0:Aug 11 14:41:38.438 : tclsh[65916]: Tue Aug 11 14:41:37.554 GMT
RP/0/RSP0/CPU0:Aug 11 14:41:38.438 : tclsh[65916]: Building configuration...
RP/0/RSP0/CPU0:Aug 11 14:41:38.439 : tclsh[65916]: !! IOS XR Configuration 5.3.4
RP/0/RSP0/CPU0:Aug 11 14:41:38.440 : tclsh[65916]: interface TenGigE0/0/0/3
RP/0/RSP0/CPU0:Aug 11 14:41:38.440 : tclsh[65916]: description TESTING CONFIG CHANGES
RP/0/RSP0/CPU0:Aug 11 14:41:38.441 : tclsh[65916]: !
RP/0/RSP0/CPU0:Aug 11 14:41:38.441 : tclsh[65916]: end
RP/0/RSP0/CPU0:Aug 11 14:41:38.443 : tclsh[65916]: RP/0/RSP0/CPU0:LAB-BBR-1#

 

This is what Splunk shows

Aug 11 23:30:19 byf-lab-bbr-1.net.4d-dc.com 67414: LAB-BBR-1 RP/0/RSP0/CPU0:Aug 11 22:30:19.509 : tclsh[65923]: %HA-HA_EEM-6-ACTION_SYSLOG_LOG_INFO : commit_syslog.tcl: show config commit changes 1000000307

 

Any help would be much appreciated.

Tags (1)
0 Karma

RakeshK
Engager
‎08-29-2020 02:46 AM

The output appears to be Syslog.

 

Syslog can be read in Splunk & you might want to check here.

https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html

0 Karma

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2020 03:02 AM

Or could you export those configuration to any file on some node and then read those there by UF? That is probably easier and reliable way unless you already have working centralized syslog server running.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...