Splunk Search

How to get Cisco IP SLA statistics into Splunk to create a timechart with an RTT value?

dibrovs
New Member

Hello

I need to to get Cisco IP SLA statistics into Splunk.

I would like to create a timechart with an RTT value.
Has anyone been able to to do this?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Lots of moving parts to this, I think, and I don't like all the answers I've found. But, please read through - there's stuff at the end that may make a difference.

The general steps would be
Get your data in. A lot of this is outside the scope of a Splunk Answers post, but you'll have to configured your devices. Here's some docs, not sure if they're right or not but they should help.

But then you have to make the Cisco device "send" that somewhere. There appears to be a lot of confusion between SNMP and syslog in the Cisco docs and on the interwebs. For instance this discussion does it, and Cisco's own docs do so as well, calling SNMP traps "syslog traps". They're not the same things. Still, for your purposes, what you need is a way to get those messages out. If you can figure out actual syslog, send the syslog to something like a syslog-ng or rsyslog collector, have that write a file (well documented elsewhere and in Answers in other places), then use a Splunk file monitor input to grab that. If it can only send SNMP traps, well, you will likely want to do the same thing only replace 'syslog-ng' with some SNMP trap reading program.

Once you have the data in Splunk, ... Well, I can find no good examples of the log lines, so if you get this data in please post back with some sample messages that have your data and I'll bet we can help.

Note: This post makes it look like this isn't going to be so useful due to how Cisco logs these. Hopefully it's wrong. The few examples I can find of these messages make it look like they don't log the actual RTT, only that it's "over threshold" which is of no help. I'd bet there's a whole 'nother doc from Cisco about this. 🙂

Extra special note: Just a thought, but it may be that you don't want to log IP SLA information, but instead the - for lack of a better term - "IP statistics" information? It seems to me when they say "IP SLA" they're really talking about how it performed against the SLA you define. What you might want instead is the raw statistics that drive that, the ones that give you real live RTT values instead of just "over threshold". I am not familiar enough with the wily ways of Cisco docs to decide what they may have called such things, but a bit of Googling may find that answer. Or ask your network team?

Anyway, in either case, let us know how it goes and what you find out! I'm sure there are others out here asking themselves the same questions!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...