Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco Config Regex

DBattisto
Communicator
‎03-06-2019 07:29 AM

Before I begin work on what is likely to be a multi-day excursion, I wanted to see if this has already been done.

I am importing Cisco switch and router startupconfigs into Splunk in hopes of setting up a dashboard that will help us track progress for some compliance items. Unfortunately, the config file is not formatted well, as it is coming from another application's database. It's a text file that is composed of the regular config with '\r\n' being used to show new lines.

My goal is to get this parsed so that it shows individual interfaces as it's own field.

Has anyone had any luck with this endeavor, or anything similar? I'd appreciate some guidance or feedback if you have.
Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎03-06-2019 07:29 PM

It sounds like a job for DBConnect:
https://splunkbase.splunk.com/app/2686/

0 Karma
Reply

DBattisto
Communicator
‎03-07-2019 03:49 AM

Thanks for the suggestionm but perhaps I should add some context. I'm importing the configurations from SolarWinds, which is retrieved by writing a custom 'SWQL' (the SolarWinds Query Language eyeroll) query.

The configuration is stored as one column, meaning that it's not parsed out. How would I use dbconnect to help with this? I use dbconnect to import data from a different database already so it'd be interesting to hear what else I could be doing with it.

0 Karma
Reply

lakshman239
Influencer
‎03-07-2019 05:07 AM

I assume the database which you use isn't supported by Dbconnect yet.. you may want to check compatibility/support and take a call. https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Installdatabasedrivers#Supported_databases

0 Karma
Reply

lakshman239
Influencer
‎03-06-2019 08:52 AM

Have you tried loading the file on to splunk via data Inputs? I am sure it will parse and if not, we can adjust the props.conf to line break your events.

0 Karma
Reply

DBattisto
Communicator
‎03-06-2019 11:20 AM

Are you suggesting loading the config file directly as an individual file? I'm getting thousands of them from a database, so manually adding isn't an option unfortunately.

0 Karma
Reply

lakshman239
Influencer
‎03-07-2019 01:30 AM

Its one off to test config and parsing and validate your config/events are seen properly. You can do this in dev and setup/tune props.conf to match your needs and then deploy them in prod.

Alternately, you can use dbconnect as suggested by @woodcook

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...