topic Re: How to Match the First three characters of a MAC address within a lookup table field in Splunk Search

How to Match the First three characters of a MAC address within a lookup table field

leykmekoo — Mon, 17 Jun 2024 21:25:04 GMT

Hello,

I have a lookup table where a list of MAC addresses are listed with the associated Vendors; basically an identifier. However, the mac address in this lookup table (column name is 'prefix') only has the three characters - xx:xx:xx. What I'm trying to do is write a query to find devices that were assigned/renewed an IP address from the DHCP server and based on their Mac address information in the result, identify the vendor. I was able to filter the first three characters from the result but when adding the lookup table to enrich the result with the Vendor information, I'm getting zero results. What am I doing wrong here? Thanks in advance!

index=some_dhcp description=renew | eval d_mac=dest_mac | rex field=d_mac "(?P<d_mac>([0-9-Fa-f]{2}[:-]){3})" | lookup vendor.csv Prefix as d_mac OUTPUT Prefix Vendor_Name | search Prefix=* | table date dest_mac Vendor_Name description

Re: How to Match the First three characters of a MAC address within a lookup table field

yuanliu — Sun, 16 Jun 2024 22:19:06 GMT

Have you set up the Prefix field to match_type WILDCARD? See Share a lookup table file with apps.

Re: How to Match the First three characters of a MAC address within a lookup table field

leykmekoo — Sun, 16 Jun 2024 23:49:17 GMT

Yes, I've created a lookup definition and set the Match type as 'WILDCARD(Prefix)'. However, I'm still not getting results. When commenting out the lookup, I get results.

Re: How to Match the First three characters of a MAC address within a lookup table field

bowesmana — Mon, 17 Jun 2024 00:56:12 GMT

Does your lookup definition contain nnn* or just nnn - to use wildcard, the lookup itself should have an asterisk

Re: How to Match the First three characters of a MAC address within a lookup table field

leykmekoo — Mon, 17 Jun 2024 18:22:38 GMT

Adding a wildcard to a 1000+ lookup table was a pain 😶 but that seems to resolve the issue i was having. 😊😊 It's a good lesson as well. Thank you and everyone for your recommendations!!

Re: How to Match the First three characters of a MAC address within a lookup table field

bowesmana — Mon, 17 Jun 2024 22:28:05 GMT

@leykmekoo A tip for the future 😀

| inputlookup your_lookup | eval your_wildcard_field=your_wildcard_field."*" | outputlookup your_lookup

Re: How to Match the First three characters of a MAC address within a lookup table field

leykmekoo — Tue, 18 Jun 2024 02:02:43 GMT

Great! Thanks!