https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207187#M22063 <P>With a lot of research I found out the formula:</P> <PRE><CODE>sourcetype="cisco:asa" message_id=604103 |rex mode=sed field=src_mac "s/01//g" | rex mode=sed field=src_mac "s/[:. -]//g" | rex mode=sed field=src_mac "s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/" </CODE></PRE> <P>However, can I would like to have it at index time and not search time...</P> Mon, 26 Sep 2016 07:39:03 GMT andresito123 2016-09-26T07:39:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207184#M22060 <P>Good morning community!</P> <P>I have a dead-end and hope somebody helped me.</P> <P>I have this Cisco ASA MAC address format: "0118.3a2d.584b.5e".</P> <P>When I read Network Traffic data model, I saw the recommendation:</P> <BLOCKQUOTE> <P>The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator. </P> </BLOCKQUOTE> <P>The question is how I can transform at index time MAC address from "0118.3a2d.584b.5e" to "01:18:3a:2d:58:4b:5e".</P> <P>Thanks in advance,<BR /> Andreas</P> Fri, 23 Sep 2016 09:31:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207184#M22060 andresito123 2016-09-23T09:31:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207185#M22061 <P>pls check this one - <BR /> <A href="https://answers.splunk.com/answers/870/how-to-normalize-mac-address-format.html">https://answers.splunk.com/answers/870/how-to-normalize-mac-address-format.html</A></P> Fri, 23 Sep 2016 09:46:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207185#M22061 inventsekar 2016-09-23T09:46:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207186#M22062 <P>I have tried this configuration on transforms.conf but with no luck:</P> <PRE><CODE>[src_mac] REGEX = 01([0-9A-Fa-f]{2})[.]([0-9A-Fa-f]{2})([0-9A-Fa-f]{2})[.]([0-9A-Fa-f]{2})([0-9A-Fa-f]{2})[.]([0-9A-Fa-f]{2}) FORMAT = src_mac::$1:$2:$3:$4:$5:$6 </CODE></PRE> Fri, 23 Sep 2016 14:36:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207186#M22062 andresito123 2016-09-23T14:36:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207187#M22063 <P>With a lot of research I found out the formula:</P> <PRE><CODE>sourcetype="cisco:asa" message_id=604103 |rex mode=sed field=src_mac "s/01//g" | rex mode=sed field=src_mac "s/[:. -]//g" | rex mode=sed field=src_mac "s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/" </CODE></PRE> <P>However, can I would like to have it at index time and not search time...</P> Mon, 26 Sep 2016 07:39:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207187#M22063 andresito123 2016-09-26T07:39:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207188#M22064 <P>Hi, please check - Index-time field extraction examples<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configureindex-timefieldextraction">http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configureindex-timefieldextraction</A></P> <P>Best Regards,<BR /> Sekar</P> Mon, 26 Sep 2016 08:19:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207188#M22064 inventsekar 2016-09-26T08:19:51Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207189#M22065 <P>You can use SEDCMD in props.conf on the indexer to perform this operation on the raw data before it gets indexed.</P> Tue, 04 Oct 2016 21:45:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ASA-MAC-address-re-format/m-p/207189#M22065 mcronkrite_splu 2016-10-04T21:45:42Z