topic How can we make multiple MAC address formats be readable in one search, regardless of format? in Splunk Search

How can we make multiple MAC address formats be readable in one search, regardless of format?

rpquinlan — Mon, 06 Nov 2017 19:45:31 GMT

I'm still pretty new so the answer is probably easy, but am stuck trying to making this search form work. The goal is to allow our users to enter a MAC address in any format such as:
0030652afccb
00:30:65:2a:fc:cb
00-30-65-2a-fc-cb
00 30 65 2a fc cb
0030.652a.fccb
and have it search across the index for anything that matches (which could be in most of the above formats), and display the log messages that match. For the sake of simplicity, we'll say the index=network (but it's really several indexes) Not all of the MAC addresses are parsed into searchable fields in all the indexes, so we are free-text searching.

My thought is the best way to accomplish this is to:

In the form, the user enters (or pastes) the MAC address into the field, giving it the token of $mac_address$.
Take the entered MAC and convert it to a concatenated mac, (i.e. 0030652afccb) for easy rex'ing. (tested - this works, thanks @wrangler2x ) eval MAC=replace("$mac_address$","[\s.:-]","")
extract the 6 octets of the MAC address into 6 fields - (tested and works) rex field=MAC "^(?<octet1>..)(?<octet2>..)(?<octet3>..)(?<octet4>..)(?<octet5>..)(?<octet6>..)$"
Perform a search using the contents of the 6 extracted octet fields (this is where I'm stuck) - index=network "$octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$" OR "$octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$" OR "$octet1$$octet2$.$octet3$$octet4$.$octet5$$octet6$" OR "$octet1$$octet2$$octet3$$octet4$$octet5$$octet6$"

I'm stuck trying to get the 6 extracted octet values to populate the search in step 3. If this matters, I'm building it in an XML form, but only the search query isn't working..

Thanks in advance!

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

cpetterborg — Mon, 06 Nov 2017 20:43:08 GMT

Are you sure that step #2 is producing the results you want? That seems like a question about something obvious, but your step #3 seems to be fine. That's why I ask that question.

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

rpquinlan — Mon, 06 Nov 2017 20:51:47 GMT

When I added something like this to the search

| table octet1,octet2,octet3,octet4,octet5,octet6,_raw

it did populate those 6 columns with a broken out version of the MAC address I entered.. Perhaps I'm just failing in trying to create the entire search string?

My whole query is:
index=network "$octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$" OR "$octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$" OR "$octet1$$octet2$.$octet3$$octet4$.$octet5$$octet6$" OR "$octet1$$octet2$$octet3$$octet4$$octet5$$octet6$" | eval MAC=replace("$mac_address$","[\s.:-]","") | rex field=MAC "^(?<octet1>..)(?<octet2>..)(?<octet3>..)(?<octet4>..)(?<octet5>..)(?<octet6>..)$"
But when I submit this, nothing happens.. "Search is waiting for input"

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

rpquinlan — Mon, 06 Nov 2017 21:21:25 GMT

I typo'd the original question.

What I meant to say was "I'm stuck trying to get the 6 extracted octet values to populate the search in step 4"
1, 2, 3 seem to be doing what I need them to. Sorry about that!

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

lfedak_splunk — Mon, 06 Nov 2017 21:23:30 GMT

Hey @rpquinlan, Can you let me know approximately what time you posted when your comment disappeared? I'll investigate the platform records.

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

rpquinlan — Mon, 06 Nov 2017 21:26:43 GMT

Browser cache issue I think.. it's there now.. my apologies.

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

cpetterborg — Mon, 06 Nov 2017 23:10:52 GMT

So the values for the octets need to be in tokens in order to use $octet1$ (for example). Have you done that in your dashboard?

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

DalJeanis — Mon, 06 Nov 2017 23:35:53 GMT

Run each of the tests one at a time and see which one kills it. I believe the issue may be with the last one, because I've had problems with two tokens together. The middle dollar signs together might be what is messing it up. You may have to extract the double-octets separately and use them that way.

$octet1$$octet2$

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

rpquinlan — Tue, 07 Nov 2017 13:22:13 GMT

I'm quite sure I have not done that. Are you able to help with how, since the octets are created by the rex in the query? I'm stuck trying to figure that out.

Re: How can we make multiple MAC address formats be readable in one search, regardless of format?

richardphung — Mon, 17 Dec 2018 17:11:03 GMT

@rpquinlan did you ever get this figured out?
I am also trying to do a multi-format search via dashboard and I got about as far as your last post.

Thanks.