Cisco pipe options and some regex examples

Just a quick post about using the pipe (|) command on Cisco devices to help format the output of any command.

Add the pipe to any show command then ? can show the available options. Below is from a 6500.

6509#show run | ?
  append    Append redirected output to URL (URLs supporting append operation only)
  begin     Begin with the line that matches
  exclude   Exclude lines that match
  include   Include lines that match
  redirect  Redirect output to URL
  tee       Copy output to URL
  • Append will send all output from the show command to be appended to a file already created at either a local (flash: disk:) or remote (ftp: tftp:) location. E.g. the command below would copy the output off the show running-config command to an ftp server using a username and pass.
6509#show run | append ftp://myuser:mypass@10.10.10.10/6509/running_config
  • Begin well begin the output from the first line that matches the expression that follows the begin command. E.g the command below begins the output from eigrp router and outputs everything after that line  because its the first line to match our expression. Note that capitalisation does matter
6509#show run | begin router
router eigrp 1
 redistribute static
 network 10.0.0.0
 ...
 ntp server 10.20.10.2 source Vlan378
 end
  • Exclude removes all lines that match the expression from the output. E.g This will remove all lines beggining with a capital G (all GigabitEthernet interfaces) while showing all other lines.
6509#  show ip int brief | exclude ^G
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      10.10.10.2      YES NVRAM  up                    up
Vlan2                      10.10.20.2      YES NVRAM  up                    up
...
Port-channel2              unassigned      YES unset  up                    up
Loopback0                  unassigned      YES NVRAM  up                    up
  • Include only displays the lines matching the expression. E.g This will only display lines starting with a capital G or a I.
6509#  show ip int brief | include ^(G|I)
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet1/1         unassigned      YES unset  up                    up
GigabitEthernet1/2         unassigned      YES unset  down                  down
...
GigabitEthernet7/48        unassigned      YES unset  down                  down
  • Redirect sends all output to a file that can be either local or remote similar to append but redirect either creates a new file or overwrites an existing one. E.g. This will send the output to a local file on disk0 (there is no terminal output from this command).
6509#show access-lists | redirect disk0:acls
  • Tee similar to append and redirect but also sends the output to the terminal. The default is similar to redirect (create new or overwrite) and to display to terminal although append behaviour (append to existing file) can be enabled with the /append switch. E.g This will append the output to a file on a tftp server and display the output to the terminal too.
6509# show access-list | tee /append tftp://10.10.10.10/6509/acl

Regex

The expressions for the commands above can either be simple words or regular expressions.  There are lots of sites about regex but here are a few examples.

6509#show int | include ^[A-Z]
Vlan1 is up, line protocol is up
Vlan2 is up, line protocol is up
...
Loopback0 is up, line protocol is up

Shows all lines that begin with a capital letter. Will not match lines that start with a space. ^ Matches the start of a line and [A-Z] matches all capital letters.

6509#show int | include ^[A-Z]|Last in
Vlan1 is up, line protocol is up
  Last input 00:00:00, output 00:00:01, output hang never
Vlan2 is up, line protocol is up
  Last input 00:00:01, output 00:00:00, output hang never
...
Loopback0 is up, line protocol is up
  Last input never, output never, output hang never

The example above macthes the same as the first example OR and line that includes “Last in”. The second | enables the or function and “Last in” literally matches any occurrence of that phrase. Capitalisation does matter!

m00nie-ASA# show processes cpu-usage sorted | include [0-9][0-9]\.|08bdbd11
081ae324   d59cf870    24.3%    25.6%    25.4%   Dispatch Unit
08bdbd11   d59c7098     0.0%     0.0%     0.0%   tcp_fast

On an ASA this time. This example matches two digits from 0-9 followed by a dot. The \ before the dot makes it match the literal dot. Again we use a second pipe for an or function and match a specific word.

m00nie-ASA# show processes cpu-usage sorted | exclude 0.0%.*0.0%.*0.0%|[0-9][0-9]\.
PC         Thread       5Sec     1Min     5Min   Process
08bd08e6   d59a9110     0.8%     0.9%     0.9%   Logger
08b9dc8c   d59994e8     0.2%     0.2%     0.1%   ssh
083x1452   d59a23d8     0.1%     0.1%     0.1%   fover_health_monitoring_thread

This time we exclude all lines that have 0.0% 0.0% 0.0% OR have two digits followed by a dot ie. >= 10%.

m00nie-ASA# show access-list | inc 192.168.1[5-9].*cnt=0
  access-list FW_ACL_Outside line 4 extended permit ip 192.168.16.0 255.255.255.0 any (hitcnt=0) 0xfd96397
  access-list FW_ACL_Outside line 4 extended permit ip 192.168.17.0 255.255.255.0 any (hitcnt=0) 0x4dd97bd

There is no “real” AND function but you can use .* (dot then star) to match everything between two other expressions. Above we match acls from 192.168.15-19.x AND that have a hit count of zero.

Regex can be very powerful when used with alias 😉 A good place to practice is on the public route servers with a command like

show ip bgp regex "some expression"

m00nie 😀

Comments

  • Wonderful goods from you, man I’ve understand your stuff previous to and you are just too fantastic I really like what you have acquired here, certainly like what you are saying and the way in which you say it You make it enjoyable and you still care for to keep it sensible I can’t wait to read far more from you This is actually a wonderful website

  • :mrgreen: Coool, was looking for “AND” operator for some time “.*” really made my day, good job 😉

  • Hi,

    Thanx for the great post!
    I am sitting with an issue at the moment…

    If I run the command: show access-list inside_access_in

    I then get all the line numbers of all the rules in this access list; example below:

    access-list inside_access_in line 2 extended permit tcp object-group SRC object-group DST object-group SRV 0xeb4a9e23
    access-list inside_access_in line 2 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ftp-data (hitcnt=0) 0x87fe9496
    access-list inside_access_in line 2 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ftp (hitcnt=0) 0x021f8848
    access-list inside_access_in line 2 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ssh (hitcnt=0) 0xc4fd68ba
    access-list inside_access_in line 2 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq www (hitcnt=0) 0x62d814b5
    access-list inside_access_in line 2 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 8443 (hitcnt=0) 0x1da67b0f
    access-list inside_access_in line 3 extended permit tcp object-group SRC1 object-group DST1 object-group SRV1 0xeb4a9e23
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ftp-data (hitcnt=0) 0x87fe9496
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ftp (hitcnt=0) 0x021f8848
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ssh (hitcnt=0) 0xc4fd68ba
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq www (hitcnt=0) 0x62d814b5
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 8443 (hitcnt=0) 0x1da67b0f

    All I want to output is the main ACL of the specific line:
    access-list inside_access_in line 3 extended permit tcp object-group SRC1 object-group DST1 object-group SRV1 0xeb4a9e23
    access-list inside_access_in line 2 extended permit tcp object-group SRC object-group DST object-group SRV 0xeb4a9e23

    but only if all the lines are 0 hit count. If lets say one of the lines in line 3 have a hit count then I want to exclude that main ACL line.
    Like below:

    access-list inside_access_in line 3 extended permit tcp object-group SRC1 object-group DST1 object-group SRV1 0xeb4a9e23
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ftp-data (hitcnt=0) 0x87fe9496
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ftp (hitcnt=4000) 0x021f8848
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ssh (hitcnt=0) 0xc4fd68ba
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq www (hitcnt=0) 0x62d814b5
    access-list inside_access_in line 3 extended permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 8443 (hitcnt=0) 0x1da67b0f

    ANY help would be appreciated.

    Thanx

  • Hi Jacques

    If I understand correctly I dont think you can do exactly as you want since it would be a match against multiple lines at the same time.

    show access-list | i object-group|hitcnt=0

    This would should you all the parent rules along with any that had hits of 0 so fairly close to what you are looking for? 🙂
    Hope that helps

    m00nie

  • Thanx a stack! Really appreciate the assistance.
    Gonna try it and will let u know. ;D

  • thx , very useful examples. I have another question, how can we write output of a filtered result?
    I am trying to append results of “sh isd sta | i Bs” to a file on flash.
    This command did not work :sh isd sta | i Bs |append flash:test

  • Hi aytac

    Glad you found it of some use but sadly I dont think what your aiming to do is possible with what Cisco give us at the moment 🙁
    Cheers

    m00nie

  • Is there a way to look to the next line? Normally \n\r and or /s would allow this but I can’t find a way to include all interfaces that are up and their ip address and CIDR notation

  • Hi Michael

    Im not too sure how simple that would be with the basic regex they give us. Best way I could think of would be show ip int brief | i up.*up That would only output lines that are up and their IP although not CIDR info but im not sure if that fits whats your looking for? Show int output would include IPs for interfaces that were down too so the above might be a good compromise? 🙂
    Cheers

    m00nie

  • hi Mate,

    could you help in creating a reg exp for this requirement?

    I just need to show running config of inter loopback0 but I am only interested on the configs within that interface.
    interface Loopback0
    description [lo]
    ip address
    ip pim sparse-mode
    snmp trap link-status
    logging event link-status

    if I do a show run all | s interface Loopback0
    I get a bunch of port settings that I am not interested in.

    Can you help formulate a regexp?

    Cheers,

  • Hi blue phoenix

    Normally you could just use multiple pipes |||| as an OR type function because you want to match ip add OR pim OR link-status etc e.g. show blah |include something | or something else | yet more but Im not sure this will be available for a show run all section type request. I dont have a router to hand at the moment (!) but I’ll try to check soon
    Cheers

    m00nie

  • Hey, great help!
    I’m searching for a way to show the next X lines after a match. E.g. when you do a “show vpn-session svc, you get a list like this:
    Username : xxx Index : 7
    Assigned IP : 1.2.3.4 Public IP : 5.6.7.8
    Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
    License : AnyConnect Premium
    Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
    Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
    Bytes Tx : 71661793 Bytes Rx : 5453454
    Group Policy : xxx Tunnel Group : xx
    Login Time : 03:14:00 CEDT Mon Aug 29 2016
    Duration : 1h:11m:01s
    Inactivity : 0h:00m:00s
    VLAN Mapping : N/A VLAN : none
    Audt Sess ID : 8fa463a80000700057c38c58
    Security Grp : none
    Then you can search for the username (here only xxx), but interesting are the next 12 lines as well. So how to get them?

  • Hi Thorsten

    There isnt a “nice” way to count lines after a match i think but you could do something hack with the ‘OR’ logic if you can find something unique in each line you’d like for example show vpn-session svc | i Username|Assigned IP|Protocol etc etc
    Then if you add that to an alias it may be something usable for you? 🙂
    Cheers

    m00nie

  • Hi m00nie,

    thx for the suggestions, but it did not work. Perhaps you got me wrong. I try to explain again.
    When you make “sh vpn-session svc” you got a list like this (when you have about 2000 vpn, the list is very, very long:

    Username : extern.alexandru.dru@abc.de
    Index : 999
    Assigned IP : 192.168.78.100 Public IP : 83.103.170.163
    Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
    License : AnyConnect Premium
    Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
    Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
    Bytes Tx : 1939955058 Bytes Rx : 236260533
    Group Policy : GP-abc-vpn Tunnel Group : CP-anyconnect-client
    Login Time : 07:09:45 CEDT Wed Sep 7 2016
    Duration : 2d 1h:54m:58s
    Inactivity : 0h:00m:00s
    VLAN Mapping : N/A VLAN : none
    Audt Sess ID : 8fa42404003e700057cfa119
    Security Grp : none
    Username : axel1.meier@psw.abc.de
    Index : 1033
    Assigned IP : 192.168.77.19 Public IP : 178.239.66.112
    Protocol : AnyConnect-Parent SSL-Tunnel
    License : AnyConnect Premium
    Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128
    Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
    Bytes Tx : 774506682 Bytes Rx : 82238613
    Group Policy : GP-abc-vpn Tunnel Group : CP-anyconnect-client
    Login Time : 07:13:14 CEDT Wed Sep 7 2016
    Duration : 2d 1h:51m:29s
    Inactivity : 0h:00m:00s
    VLAN Mapping : N/A VLAN : none
    Audt Sess ID : 8fa424040040900057cfa1ea
    Security Grp : none
    Username : hans-dieter.fuchs@abc.de
    Index : 1191
    Assigned IP : 192.168.66.62 Public IP : 188.210.60.49
    Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
    License : AnyConnect Premium
    Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
    Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
    Bytes Tx : 198709226 Bytes Rx : 58537018
    Group Policy : GP-abc-vpn Tunnel Group : CP-anyconnect-client
    Login Time : 07:28:04 CEDT Wed Sep 7 2016
    Duration : 2d 1h:36m:39s
    Inactivity : 0h:00m:00s
    VLAN Mapping : N/A VLAN : none
    Audt Sess ID : 8fa42404004a700057cfa564
    Security Grp : none

    So sometimes you want to look only one specific user, then you normally know his username. For this there is another command in the Cisco ASA, “sh vpn-session-db index XXX” where XXX is the number next to the word “Index :”, e.g. 1191.
    But how to get the index number? If I would have a full bash shell, I would do something like that:
    output_of_command | awk ‘/dieter.fuchs/{getline; print}’

    This would print Index : 1191
    No I know the dedicated index and can use the number for the next command.
    So how can I get this like the awk command above in the Cisco world?
    Any suggestions?

    Wishes
    Thorsten

  • Hi Thorsten

    I dont think what you want to do it possible with the regex Cisco gives us in IOS. You could do show vpn-session svc | Username|Index to get a simple list that might be easy to help spot or to get the Index you want easily presented but just outputting the index your looking for only I think isnt possible 🙁
    Cheers

    m00nie