https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/747825#M241902 <P>Your first replace effectively reduces the string to 8 characters and the subsequent replaces are expecting 12 characters so the replaces fail. Also, using map is tricky at the best of times, perhaps you could try something like this</P><LI-CODE lang="markup">index=main sourcetype=syslog [| makeresults | eval input_mac="48a4.93b9.xxxx" | eval mac_clean=lower(replace(input_mac, "[^0-9A-Fa-f]", "")) | eval mac_colon=replace(mac_clean, "(..)(..)(..)(..)", "\1:\2:\3:\4:") | eval mac_hyphen=replace(mac_clean, "(..)(..)(..)(..)", "\1-\2-\3-\4-") | eval mac_dot=replace(mac_clean, "(....)(....)", "\1.\2.") | eval query=mvappend(mac_colon, mac_hyphen, mac_dot) | mvexpand query | table query] | table _time host _raw"</LI-CODE> Wed, 11 Jun 2025 15:33:30 GMT ITWhisperer 2025-06-11T15:33:30Z https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/747819#M241896 <P>Hello.</P><P>This search returns zero results, but a manual "OR" search shows results. I cannot find the reason (neither can ChatGPT). The end result would be a query where I can input any format of MAC address in one section, but automatically search for all formats shown.&nbsp;</P><P>Any guidance would be appreciated. BTW, this is a local Splunk installation.&nbsp;</P><P>(Please ignore the "xxxx".)</P><P>| makeresults<BR />| eval input_mac="48a4.93b9.xxxx"<BR />| eval mac_clean=lower(replace(input_mac, "[^0-9A-Fa-f]", ""))<BR />| eval mac_colon=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1:\2:\3:\4:\5:\6")<BR />| eval mac_hyphen=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1-\2-\3-\4-\5-\6")<BR />| eval mac_dot=replace(mac_clean, "(....)(....)(....)", "\1.\2.\3")<BR />| fields mac_clean mac_colon mac_hyphen mac_dot<BR />| eval search_string="\"" . mac_clean . "\" OR \"" . mac_colon . "\" OR \"" . mac_hyphen . "\" OR \"" . mac_dot . "\""<BR />| table search_string<BR />| map search="search index=main sourcetype=syslog ($search_string$) | table _time host _raw"</P> Wed, 11 Jun 2025 13:46:21 GMT https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/747819#M241896 anthonyi 2025-06-11T13:46:21Z https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/747825#M241902 <P>Your first replace effectively reduces the string to 8 characters and the subsequent replaces are expecting 12 characters so the replaces fail. Also, using map is tricky at the best of times, perhaps you could try something like this</P><LI-CODE lang="markup">index=main sourcetype=syslog [| makeresults | eval input_mac="48a4.93b9.xxxx" | eval mac_clean=lower(replace(input_mac, "[^0-9A-Fa-f]", "")) | eval mac_colon=replace(mac_clean, "(..)(..)(..)(..)", "\1:\2:\3:\4:") | eval mac_hyphen=replace(mac_clean, "(..)(..)(..)(..)", "\1-\2-\3-\4-") | eval mac_dot=replace(mac_clean, "(....)(....)", "\1.\2.") | eval query=mvappend(mac_colon, mac_hyphen, mac_dot) | mvexpand query | table query] | table _time host _raw"</LI-CODE> Wed, 11 Jun 2025 15:33:30 GMT https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/747825#M241902 ITWhisperer 2025-06-11T15:33:30Z https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/747834#M241904 <P>Thank you! That gave me the proper direction to go!</P><P>My final, validated version is...</P><P>index=main sourcetype=syslog<BR />[<BR />| makeresults<BR />| eval input_mac="48a4.93b9.xxxx"<BR />| eval mac_clean=lower(replace(input_mac, "[^0-9A-Fa-f]", ""))<BR />| where len(mac_clean)=12<BR />| eval mac_colon=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1:\2:\3:\4:\5:\6")<BR />| eval mac_hyphen=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1-\2-\3-\4-\5-\6")<BR />| eval mac_dot=replace(mac_clean, "(....)(....)(....)", "\1.\2.\3")<BR />| eval query=mvappend(mac_clean, mac_colon, mac_hyphen, mac_dot)<BR />| mvexpand query<BR />| where isnotnull(query)<BR />| fields query<BR />| format<BR />]<BR />| table _raw</P> Wed, 11 Jun 2025 16:25:15 GMT https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/747834#M241904 anthonyi 2025-06-11T16:25:15Z https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/748024#M241932 <P>Just a quick update to my final saved search, which allows a simple double-click and paste of a new MAC in any format, but will never return a result initially. I am using this as a report.</P><P>index=main sourcetype=syslog<BR />[<BR />| makeresults<BR />| eval input_mac="INPUT_HERE"<BR />| eval mac_clean=lower(replace(input_mac, "[^0-9A-Fa-f]", ""))<BR />| where len(mac_clean)=12<BR />| eval mac_colon=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1:\2:\3:\4:\5:\6")<BR />| eval mac_hyphen=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1-\2-\3-\4-\5-\6")<BR />| eval mac_dot=replace(mac_clean, "(....)(....)(....)", "\1.\2.\3")<BR />| eval query=mvappend(mac_clean, mac_colon, mac_hyphen, mac_dot)<BR />| mvexpand query<BR />| where isnotnull(query)<BR />| fields query<BR />| format<BR />]<BR />| table _raw</P> Mon, 16 Jun 2025 13:24:04 GMT https://community.splunk.com/t5/Splunk-Search/Autoformat-and-search-results-similar-to-quot-48a4-93b9-xxxx-OR/m-p/748024#M241932 anthonyi 2025-06-16T13:24:04Z