topic Re: Reformat MAC address in Splunk Search

How to reformat MAC address?

kevinjacks — Thu, 12 May 2022 18:10:28 GMT

I need help reformatting a MAC address field which doesn't have colons to add them.

MAC=123456781122
desired format = 12:34:56:78:11:22

Re: Reformat MAC address

aljohnson_splun — Fri, 10 Jul 2015 20:33:08 GMT

Hmm. I think this is just one way you could do it.

| eval m = tostring(MAC)
| eval MAC = substr(m, 0,2).":".substr(m,2,4).":".substr(m,4,6).":".substr(m,6,8).":".substr(m,8,10).":".substr(m,10)

Re: Reformat MAC address

kevinjacks — Fri, 10 Jul 2015 20:50:24 GMT

you had a typo in there but I see what you're doing. thanks for the help!

this worked:

| eval m = tostring(MAC)
| eval MAC2 = substr(m,1,2).":".substr(m,3,2).":".substr(m,5,2).":".substr(m,7,2).":".substr(m,9,2).":".substr(m,11,2)

Re: Reformat MAC address

CyberSekure — Thu, 23 Nov 2017 14:41:46 GMT

Realise this is a bit late, but came across the same problem and found the below to work as well - might be a bit faster as it's just using one eval?

| eval MAC=replace(MAC, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")

Re: Reformat MAC address

pzharyuk — Fri, 09 Feb 2018 22:52:10 GMT

Hi guys, I'm trying to accomplish the same thing and something is not working, I only get the first MAC address to show up once I create the table, it formats it correctly but it's not what I want.

sourcetype="corp16arp:mib" | rex "ipNetToMediaPhysAddress.\"\d+\".\"(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\"\s+=\s+\"0x(?\w+)" max_match=0 | eval m = tostring(MAC)
| eval MAC = substr(m,0,2).":".substr(m,3,2).":".substr(m,5,2).":".substr(m,7,2).":".substr(m,9,2).":".substr(m,11,2) | table IP MAC

The following regex takes raw SNMP data and creates two fields, IP and MAC: I omitted the full IP and MAC's for security reasons.

RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000

Any advice on this would help.

Re: Reformat MAC address

Anam — Fri, 09 Feb 2018 22:58:15 GMT

Hi @pzharyuk

This question was posted in 2015. If the accepted answer is not working out for you, please post it as a new question so you can get better exposure to your question.

Thanks

Re: Reformat MAC address

ejwade — Thu, 12 May 2022 18:08:41 GMT

@CyberSekure- this is a great approach. I wrapped this into a macro and use it all the time now!