topic Re: How to Extract Mac Address Field from Cisco Mac Address Notification Traps in Splunk Search

How to Extract Mac Address Field from Cisco Mac Address Notification Traps

lim23 — Mon, 23 Apr 2012 20:32:53 GMT

Hello,

I am trying to extract the mac address from the following snmp trap. The mac address is embedded in the Hex-STRING. I want to skip over the first two octets after 'Hex-STRING' and use the following 6 octets. The first two: 02 00, can be diffrent depending on which switch is sending the snmp trap.

In this case, the MAC address that I would like to capture is:
91 08 00 11 19 D3.

2012-04-23 13:08:11 test-switch [192.18.foo.foo] (via UDP: [192.18.foo.foo]:55287) TRAP, SNMP v1, community blah    SNMPv2-SMI::enterprises.9.9.215.2 Enterprise Specific Trap (1) Uptime: 384 days, 23:02:38.16    SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.0 = Hex-STRING: 02 00 91 08 00 11 19 D3 35 00 12 00

The following REX Does NOT give me what I want:
(?i).*? (?P\s+\s+\d+\s+[a-f0-9]+\s+[a-f0-9]+\s+\d+\s+[a-f0-9]+)\s+\d+\s+\d+

Re: How to Extract Mac Address Field from Cisco Mac Address Notification Traps

kristian_kolb — Tue, 24 Apr 2012 08:42:31 GMT

Hi,

Your regex looks a bit complex, and also there are 2 \s+ as the first parts of the field you wish to extract. Also, there is the possibility that A-F may occur in other places than where you specified. Finally, your regex is not anchoring to any particular point in the event, so you could get strange results.

You could try it as a rex extraction:

your_search | rex "Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})"

or in props.conf

[your_sourcetype] 
EXTRACT-cisco_MAC = Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})

Hope this helps,

Kristian

Re: How to Extract Mac Address Field from Cisco Mac Address Notification Traps

lim23 — Mon, 28 Sep 2020 11:43:18 GMT

Thanks for your response Kristian. I used your regex to build a little table to parse out the Cisco mac notification snmp-trap.

The 12 byte hex string has the following information in it.

first byte = operation (01 for added and 02 for removed mac address from its arp tables)
second+third byte = VLan (In HEX)
fourth-ninth byte = MAC Address
tenth-eleventh byte = Switch Interface (In HEX)
twelfth byte = operation (never seen this byte used)

Here is what I did with your help.

my_search | rex "Hex-STRING:(?[\sa-fA-F0-9]{3})(?[\sa-fA-F0-9]{6})(?[\sa-fA-F0-9]{18})(?[\sa-fA-F0-9]{6})" | rex "(?i)(?P[^ ]+)\s+(?:\[[^\n\[]*){2}" | eval ACTION2=replace(ACTION1,"01","Added") | eval ACTION=replace(ACTION2,"02","Removed") | eval VLAN1=replace(VLAN_HEX,"\s","") | eval PORT1=replace(PORT_HEX,"\s","") | eval PORT=tonumber(PORT1, 16) | eval VLAN=tonumber(VLAN1, 16) | table _time, MAC_ADDRESS, ACTION, VLAN, PORT, SWITCH

Re: How to Extract Mac Address Field from Cisco Mac Address Notification Traps

kristian_kolb — Wed, 25 Apr 2012 07:08:48 GMT

Good that it worked for you. Perhaps you could tidy it up a little more by not including the whitespace in the fields you extract, i.e. do;
Hex-String:\s(?\d\d)\s+(?[a-fA-F0-9]{5})\s etc etc

Anyway, please mark the question as answered a/o upvote if your problem was solved. Thanks.

/kristian

Re: How to Extract Mac Address Field from Cisco Mac Address Notification Traps

lim23 — Wed, 25 Apr 2012 20:30:06 GMT

Thanks, I have included my search and rex, in case anyone out there is looking to use Splunk for real time end user tracking.

Re: How to Extract Mac Address Field from Cisco Mac Address Notification Traps

kristian_kolb — Thu, 26 Apr 2012 07:02:36 GMT

Please mark as answered and/or upvote if your problem was solved, thanks.

/kristian