Parse Cisco SNMP trap for MAC address and status

cwwirth · ‎04-25-2013

I'm having some difficulty figuring out the best way to parse the following string, sent by my Cisco switches as SNMP traps when they report interface link up/down:

Hex-STRING: 01 00 01 EC 30 91 CC 51 09 00 19 00

In the above example, here's the information that I need to parse and make human readable. The whole string is in hex, but only parts of it should be converted to decimal.

Field 1 : 01 = Add, 02 = Remove. Preferably, I'd like the output to simply replace 01 with "connected" and 02 with "disconnected".

Field 2 plus Field 3 = VLAN number. These four hex characters denote the VLAN number when converted to decimal (in this example, 00 01 equates to VLAN 1). Would like the output decimal string to be prefaced with "VLAN=".

Field 4-9 : Computer's MAC Address. This should stay in hex, but preferably each octet should be delimited with colons and prefaced with "MAC=" (e.g. turn EC 30 91 CC 51 09 into MAC=EC:30:91:CC:51:09).

Field 10 : Interface card number. Would be nice to have the value prefaced with "card=" for human readability.

Field 11 : Interface port number. Would be nice to have the value prefaced with "port=" for human readability.

Field 12 : Unknown (can be skipped)

I'm still learning regex and all of Splunk's functions, and I've hacked together this search string based on my very limited knowledge:

rex "STRING:\s(?< stat >[0-9]{2})\s(?< vlan >[0-9]{5})\s(?< mac1 >[0-9]{2})\s(?< mac2 >[0-9]{2})\s(?< mac3 >[0-9]{2})\s(?< mac4 >[0-9]{2})\s(?< mac5 >[0-9]{2})\s(?< mac6 >[0-9]{2})\s(?< card >[0-9]{2})\s(?< port >[0-9]{2})" | eval status=if(<stat>=01, "connected", "disconnected") | eval vlan=tostring(tonumber(vlan,16)) | "mac1":"mac2":"mac3":"mac4":"mac5":"mac6" | eval card=tostring(tonumber (card,16)) | eval port=tostring(tonumber (port,16))

(Ignore the spaces around the variables like < stat >, they're just to keep Markdown from thinking they're HTML tags.)

Needless to say, this code mess doesn't work. Can someone help me get my act together?

TL;DR:

Please help me make this string:

Hex-STRING: 01 00 01 EC 30 91 CC 51 09 00 19 00

...look like this:

Hex-STRING: connected VLAN 1 MAC=EC:30:91:CC:51:09 card=00 port=19

Thank you!

cwwirth · ‎04-25-2013

Well, I'm answering my own question here, but hopefully it helps someone. I found the following thread, which does very similar to what I want:

http://splunk-base.splunk.com/answers/46247/how-to-extract-mac-address-field-from-cisco-mac-address-...

However, when I tried it it didn't work. I've managed to clean up the code and make it work:

 rex "Hex-STRING:\s(?< action1 >[0-9]{2})\s(?< vlan_hex >[\sa-fA-F0-9]{5})\s(?< mac_address >[\sA-F0-9]{17})\s(?< card_hex >[\sA-F0-9]{2})\s(?< port_hex >[\sA-F0-9]{2})" | rex "UDP:\s\[(?< switch_ip >[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" | eval ACTION2=replace(action1,"01","Added") | eval ACTION=replace(ACTION2,"02","Removed") | eval VLAN1=replace(vlan_hex,"\s","") | eval VLAN=tonumber(VLAN1, 16) | eval MAC-ADDRESS=replace(mac_address,"\s",":") | eval CARD1=replace(card_hex,"\s","") | eval CARD=tonumber(CARD1, 16) | eval PORT1=replace(port_hex,"\s","") | eval PORT=tonumber(PORT1, 16) | table _time, ACTION, VLAN, MAC-ADDRESS, CARD, PORT, switch_ip

(As before, ignore the spaces in the variables.)

I'm a little bummed still, in that the switches are being listed by their IP addresses. I had to do this as we don't have our switches listed in DNS. I do, however, have tags in splunk correlating host=[switch IP address] to hostnames, so if anyone has any ideas on how I can get my code above to replace switch_ip with the correlating tag, that would be awesome.

Parse Cisco SNMP trap for MAC address and status

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!