Cisco IOS and WLC time format

tfechner · ‎07-04-2018

Hi all,

we saw this log from cisco IOS in splunk:
...Jul 4 16:43:42 HOSTNAME 19028: 10.1.1: Jul 4 16:43:42.804: %LINE.....

and this from a WLC:
...Jul 4 16:44:46 wlc-xxx WLXxxxxx: spamApTa7: Jul 04 16:44:46.583: %CAPWAP

Please find the date definition with a leading zero and without.
To speedup splunk index processing we would like to give Splunk a hint how to extract the time with the miliseconds. Per default there is no extraction of the partial seconds.

Using the splunk_ta for extraction splunk uses the syslog time as the messages reaches the indexer. Splunk does not use the internal time:
Splunk-Event-Time
04/07/2018
17:07:24.000

Syslog-Message:
Jul 4 17:07:24 hostx 9481: 10.251.8.4: Jul 4 17:07:23.279: %PM-4-ERR_DISABLE: bpduguard XXXXX

How can we help the index time processing to extract the correct time with miliseconds with both types of syslog-typs in one index?

Or is it better to seperate the wlc and ios? Can we then use the Cisco-Dashboard app anymore as we have two indexes?

Torsten

niketn · ‎07-10-2018

@tfechner, I think Docs needs correction to description. However, as per Unix documentation %d picks up both date prefixed with 0 and not prefixed with 0. http://pubs.opengroup.org/onlinepubs/7908799/xsh/strptime.html

Following is a run anywhere search to demo _time being set from time field with both kind of dates.

| makeresults
| eval data="time=\"Jul 4 16:43:42.804\",time=\"Jul 04 16:44:46.583\""
| makemv data delim=","
| mvexpand data
| rename data as _raw
| KV
| eval _time=strptime(time,"%b %d %H:%M:%S.%3N")

To answer your other question, you should ideally create two different sourcetypes for data coming in two different formats from two systems. You can correlate them afterwards as per your requirement.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mikaelbje · ‎07-04-2018

Hi,

you will have to set a TIME_FORMAT and TIME_PREFIX for the cisco:ios sourcetype (see props.conf)

Use something like Rubular.com to test it.

For TIME_PREFIX this may work:

TIME_PREFIX = \S+:\s\S+:\s

However you may have false positives as it is very generic.
Regarding TIME_FORMAT you may have issues with the asterisk. For IOS devices the asterisk is there to indicate that the time is not synced with NTP (ref. https://networkengineering.stackexchange.com/questions/10168/interpreting-cisco-logging-symbols), but I am not sure if the meaning is the same for WLC.

I prefer to trust the syslog server time instead of the device time for Cisco networking devices, but maybe that's just me.

mikaelbje · ‎07-10-2018

See (from http://pubs.opengroup.org/onlinepubs/009695399/functions/strptime.html)

%d
The day of the month [01,31]; leading zeros are permitted but not required

This should also work in Splunk

tfechner · ‎07-04-2018

The asterix is a typo... 🙂

The problem is to extract the time and date! (23:59:59-offset) - not the prefix.. The time format string according https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Commontimeformatvariables has no day extracting string for number with and without leading zero. You can use %d or $e. There is no %XXX as for minutes like %M (do not care about leading zero)

Cisco IOS and WLC time format

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes