I have been trying to get splunk work with the switch log to show availability of ports divided by its device name, interface and hardware types with the query below
sourcetype=nexus_switch | rex field=_raw max_match=1000000 "(?m)(?P<Begin>(Ethernet\d\S+).*
\s.*
\s.*
)" | rex field=Begin "(?PEthernet\d\S+)\sis\s(?P.*)
\s.*
\s+Hardware(\sis|:)\s(?P.*)," | stats count by DeviceName, interface, hardware_type, status
But it shows an incorrect count of 10,000+ total interface where i have only 800. Below is a snippet of my log, line break by the long underscore line, every event contain about 20+ interface.
___________________________________________________________________________
akcfj-sfe-gere (22.23.1.13):
--------------
term len 0
--------------
--------------
show interface
--------------
Ethernet1/1 is up
Dedicated Interface
Hardware: 1000/10000 Ethernet, address: 0032.7321.b738 (bia 0032.7321.b738)
Description: NP2:*** akcfj-sfe-gere Ten3/1 ***
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is trunk
full-duplex, 10 Gb/s, media type is 10G
Beacon is turned off
Input flow-control is off, output flow-control is off
Rate mode is dedicated
Switchport monitor is off
EtherType is 0x8100
Last link flapped 23week(s) 3day(s)
Last clearing of "show interface" counters never
30 seconds input rate 75332208 bits/sec, 8743 packets/sec
30 seconds output rate 11084936 bits/sec, 3769 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 68.78 Mbps, 8.81 Kpps; output rate 11.02 Mbps, 4.28 Kpps
RX
307056506315 unicast packets 331016646 multicast packets 81428671 broadcast packets
307468951632 input packets 325254018013003 bytes
200664768545 jumbo packets 0 storm suppression packets
0 runts 0 giants 0 CRC 0 no buffer
0 input error 0 short frame 0 overrun 0 underrun 0 ignored
0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop
0 input with dribble 0 input discard
0 Rx pause
TX
253672222513 unicast packets 30735817 multicast packets 20055695 broadcast packets
253723014025 output packets 203569881588917 bytes
119425086337 jumbo packets
0 output errors 0 collision 0 deferred 0 late collision
0 lost carrier 0 no carrier 0 babble 0 output discard
0 Tx pause
1 interface resets
... View more