- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Cisco Config Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco Config Regex
Before I begin work on what is likely to be a multi-day excursion, I wanted to see if this has already been done.
I am importing Cisco switch and router startupconfigs into Splunk in hopes of setting up a dashboard that will help us track progress for some compliance items. Unfortunately, the config file is not formatted well, as it is coming from another application's database. It's a text file that is composed of the regular config with '\r\n' being used to show new lines.
My goal is to get this parsed so that it shows individual interfaces as it's own field.
Has anyone had any luck with this endeavor, or anything similar? I'd appreciate some guidance or feedback if you have.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like a job for DBConnect:
https://splunkbase.splunk.com/app/2686/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestionm but perhaps I should add some context. I'm importing the configurations from SolarWinds, which is retrieved by writing a custom 'SWQL' (the SolarWinds Query Language eyeroll) query.
The configuration is stored as one column, meaning that it's not parsed out. How would I use dbconnect to help with this? I use dbconnect to import data from a different database already so it'd be interesting to hear what else I could be doing with it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume the database which you use isn't supported by Dbconnect yet.. you may want to check compatibility/support and take a call. https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Installdatabasedrivers#Supported_databases
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried loading the file on to splunk via data Inputs? I am sure it will parse and if not, we can adjust the props.conf to line break your events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you suggesting loading the config file directly as an individual file? I'm getting thousands of them from a database, so manually adding isn't an option unfortunately.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its one off to test config and parsing and validate your config/events are seen properly. You can do this in dev and setup/tune props.conf to match your needs and then deploy them in prod.
Alternately, you can use dbconnect as suggested by @woodcook
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
