topic Re: Can you help me with a MAC Address Search in a Splunk dashboard? in Splunk Search

Can you help me with a MAC Address Search in a Splunk dashboard?

richardphung — Fri, 04 Jan 2019 00:25:20 GMT

Greetings---

I am trying to build a dashboard form for MAC address regardless of format.

The goal is to simply have a form field which a user can enter a MAC address in ANY format and still derive results whether the MAC address is indexed with dashes ("-"), colons (":"), or nothing at all..

e.g.:

00:00:00:00:00:00 OR 00-00-00-00-00-00 OR 000000000000

search $octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$ OR $octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$

This is what I have so far:
https://answers.splunk.com/answers/710676/why-is-my-query-with-the-eval-command-not-replacin.html
AND:
https://answers.splunk.com/answers/588964/how-can-we-make-multiple-mac-address-formats-be-re.html

I have created a form with tokens to split-up the octets on the MAC address:

<search>
           <done>
             <set token="octet1">$result.octet1$</set>
             <set token="octet2">$result.octet2$</set>
             <set token="octet3">$result.octet3$</set>
             <set token="octet4">$result.octet4$</set>
             <set token="octet5">$result.octet5$</set>
             <set token="octet6">$result.octet6$</set>
           </done>
           <query>$macaddress$
 | eval MAC=replace("$macaddress$","[^A-Za-z0-9]*","")
           | rex field=MAC "^(?&lt;octet1&gt;..)(?&lt;octet2&gt;..)(?&lt;octet3&gt;..)(?&lt;octet4&gt;..)(?&lt;octet5&gt;..)(?&lt;octet6&gt;..)$"
           | dedup octet1
 | table octet1 octet2 octet3 octet4 octet5 octet6</query>
           <earliest>$field2.earliest$</earliest>
           <latest>$field2.latest$</latest>
         </search>

*Thanks to twinspop

And it looks like it is failing with the EVAL function.

It only seems to find MAC Addresses with colons, but cannot parse mac addresses with any other octet delimiters.

My questions to the community are:
1) "Why is my eval + replace function failing on anything other than a colon?"
And
2) "why hasn't this been done?"....

Maybe I am a newb in asking, but doesn't this seem like a pretty standard thing?

.... Switches, Routers, DHCP, RADIUS... they all use different formats for MAC Address in logs.

Re: Can you help me with a MAC Address Search in a Splunk dashboard?

sdchakraborty — Fri, 04 Jan 2019 09:11:46 GMT

Hi Richard,

Can you use the below search and see whether its working for you. Just change the query portion. Assuming your mac address textbox token name is "macaddress"

| makeresults
| eval mac_address = $macaddress$
| rex max_match=0   field=mac_address "(?<octates>\d\d)[:|-]?"
| eval octet1 = mvindex(octates,0),octet2 = mvindex(octates,1),octet3 = mvindex(octates,2),octet4 = mvindex(octates,3),octet5 = mvindex(octates,4),octet6 = mvindex(octates,5)
| table octet1 octet2 octet3 octet4 octet5 octet6

Sid

Re: Can you help me with a MAC Address Search in a Splunk dashboard?

richardphung — Tue, 29 Sep 2020 22:39:12 GMT

BOOM!
Thanks, Sid.

Also, this works best:
| rex max_match=0 field=mac_address "(?..)[\D]?"

Re: Can you help me with a MAC Address Search in a Splunk dashboard?

sdchakraborty — Fri, 04 Jan 2019 15:05:54 GMT

Cool.yep agree with your rex. Have a nice day.

Sid

Re: Can you help me with a MAC Address Search in a Splunk dashboard?

nickhills — Fri, 04 Jan 2019 15:10:34 GMT

I wonder if (?<octates>[A-Fa-f0-9]{2}) might be even 'safer'

Re: Can you help me with a MAC Address Search in a Splunk dashboard?

sdchakraborty — Fri, 04 Jan 2019 15:32:14 GMT

Even better rex as MAC address going to be hex numbers.