I have been trying to get splunk work with the switch log to show availability of ports divided by its device name, interface and hardware types with the query below
sourcetype=nexus_switch | rex field=_raw max_match=1000000 "(?m)(?P<Begin>(Ethernet\d\S+).*
\s.*
\s.*
)" | rex field=Begin "(?PEthernet\d\S+)\sis\s(?P.*)
\s.*
\s+Hardware(\sis|:)\s(?P.*)," | stats count by DeviceName, interface, hardware_type, status
But it shows an incorrect count of 10,000+ total interface where i have only 800. Below is a snippet of my log, line break by the long underscore line, every event contain about 20+ interface.
___________________________________________________________________________
akcfj-sfe-gere (22.23.1.13):
--------------
term len 0
--------------
--------------
show interface
--------------
Ethernet1/1 is up
Dedicated Interface
Hardware: 1000/10000 Ethernet, address: 0032.7321.b738 (bia 0032.7321.b738)
Description: NP2:*** akcfj-sfe-gere Ten3/1 ***
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is trunk
full-duplex, 10 Gb/s, media type is 10G
Beacon is turned off
Input flow-control is off, output flow-control is off
Rate mode is dedicated
Switchport monitor is off
EtherType is 0x8100
Last link flapped 23week(s) 3day(s)
Last clearing of "show interface" counters never
30 seconds input rate 75332208 bits/sec, 8743 packets/sec
30 seconds output rate 11084936 bits/sec, 3769 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 68.78 Mbps, 8.81 Kpps; output rate 11.02 Mbps, 4.28 Kpps
RX
307056506315 unicast packets 331016646 multicast packets 81428671 broadcast packets
307468951632 input packets 325254018013003 bytes
200664768545 jumbo packets 0 storm suppression packets
0 runts 0 giants 0 CRC 0 no buffer
0 input error 0 short frame 0 overrun 0 underrun 0 ignored
0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
0 input with dribble 0 input discard
0 Rx pause
TX
253672222513 unicast packets 30735817 multicast packets 20055695 broadcast packets
253723014025 output packets 203569881588917 bytes
119425086337 jumbo packets
0 output errors 0 collision 0 deferred 0 late collision
0 lost carrier 0 no carrier 0 babble 0 output discard
0 Tx pause
1 interface resets
I think what you are trying to do is count things within each event, but what you are doing is counting things across events. To count things within events, you need to something like this ... | eval numInterfaces=mvcount(interface)
. If you will be VERY clear about EXACTLY what you are trying to do, I can help you more but I think this is the crux of your problems.
Did this work?
Hi ryantzj,
have you tested any of the apps provided https://splunkbase.splunk.com/apps/#/page/1/search/nexus/order/relevance they will do all the field extractions from nexus logs for you....
cheers, MuS
Hi MuS,
Thanks for the suggestion, but apparently the log format are not supported by the cisco nexus add on... any workaround for this ?