IT Operations Discussions
All the up-time. All the nines.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IOS-XR Configuration Changes

alpha76
New Member
‎08-12-2020 05:44 AM

Hi,

We would like our IOS-XR commits to be sent to Splunk, however we have been informed that it is not possible for Splunk to extract the data from the XR commit database.  Consequently, we have written an EEM/TCL script that runs a show configuration commit automatically once an admin commits a change.  We can see the output on the local device but they are not sent to splunk, every other log is received though.

This is the local device

RP/0/RSP0/CPU0:Aug 11 14:41:38.436 : tclsh[65916]: %HA-HA_EEM-6-ACTION_SYSLOG_LOG_INFO : commit_syslog.tcl: show config commit changes 1000000304
RP/0/RSP0/CPU0:Aug 11 14:41:38.438 : tclsh[65916]: Tue Aug 11 14:41:37.554 GMT
RP/0/RSP0/CPU0:Aug 11 14:41:38.438 : tclsh[65916]: Building configuration...
RP/0/RSP0/CPU0:Aug 11 14:41:38.439 : tclsh[65916]: !! IOS XR Configuration 5.3.4
RP/0/RSP0/CPU0:Aug 11 14:41:38.440 : tclsh[65916]: interface TenGigE0/0/0/3
RP/0/RSP0/CPU0:Aug 11 14:41:38.440 : tclsh[65916]: description TESTING CONFIG CHANGES
RP/0/RSP0/CPU0:Aug 11 14:41:38.441 : tclsh[65916]: !
RP/0/RSP0/CPU0:Aug 11 14:41:38.441 : tclsh[65916]: end
RP/0/RSP0/CPU0:Aug 11 14:41:38.443 : tclsh[65916]: RP/0/RSP0/CPU0:LAB-BBR-1#

 

This is what Splunk shows

Aug 11 23:30:19 byf-lab-bbr-1.net.4d-dc.com 67414: LAB-BBR-1 RP/0/RSP0/CPU0:Aug 11 22:30:19.509 : tclsh[65923]: %HA-HA_EEM-6-ACTION_SYSLOG_LOG_INFO : commit_syslog.tcl: show config commit changes 1000000307

 

Any help would be much appreciated.

Tags (1)
0 Karma

RakeshK
Engager
‎08-29-2020 02:46 AM

The output appears to be Syslog.

 

Syslog can be read in Splunk & you might want to check here.

https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html

0 Karma

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2020 03:02 AM

Or could you export those configuration to any file on some node and then read those there by UF? That is probably easier and reliable way unless you already have working centralized syslog server running.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...