Looking to use splunk to compare my cisco router configuration files? Since it does not seem I can use the forwarder for changes, what are my options?
This is a planned feature for the Cisco IOS app. In the meantime you can do the following:
On your Cisco device:
archive path ftp://USER:PASSWORD@YOUR.FTP.SERVER/cisco_backups/$h write-memory log config logging enable logging size 200 notify syslog contenttype plaintext hidekeys !
An example Splunk input on your forwarder + FTP server:
[monitor:///ftproot/cisco_backups/*] sourcetype = Cisco:IOS:Configuration disabled = false
Make sure you have the Technology Add-on for Cisco IOS installed on your indexer/forwarder as it defines the Cisco:IOS:Configuration sourcetype stanza.
You can then use the built-in Splunk "diff" command to compare two versions
Comparing configuration files for network devices really isn't Splunk's strong suit. Splunk is designed to store, index, and search on mostly unstructured or semi-structured data.
You might consider something like RANCID http://www.shrubbery.net/rancid/ and integrating it into Splunk. RANCID does the job of logging into routers on a schedule and downloading configurations and other information, and comparing it to the last time RANCID was run. The results of RANCID's comparisons could easily be pushed into Splunk as log events and searched upon that way.