All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ASA MAC address re-format

andresito123
Communicator
‎09-23-2016 02:31 AM

Good morning community!

I have a dead-end and hope somebody helped me.

I have this Cisco ASA MAC address format: "0118.3a2d.584b.5e".

When I read Network Traffic data model, I saw the recommendation:

The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field. Note: Always use colons instead of dashes, spaces, or no separator.

The question is how I can transform at index time MAC address from "0118.3a2d.584b.5e" to "01:18:3a:2d:58:4b:5e".

Thanks in advance,
Andreas

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andresito123
Communicator
‎09-26-2016 12:39 AM

With a lot of research I found out the formula:

sourcetype="cisco:asa" message_id=604103 |rex mode=sed field=src_mac "s/01//g" | rex mode=sed field=src_mac "s/[:. -]//g" | rex mode=sed field=src_mac "s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/"

However, can I would like to have it at index time and not search time...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-26-2016 01:19 AM

Hi, please check - Index-time field extraction examples
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configureindex-timefieldextraction

Best Regards,
Sekar

Reply
Solved! Jump to solution
Solution

andresito123
Communicator
‎09-26-2016 12:39 AM

With a lot of research I found out the formula:

sourcetype="cisco:asa" message_id=604103 |rex mode=sed field=src_mac "s/01//g" | rex mode=sed field=src_mac "s/[:. -]//g" | rex mode=sed field=src_mac "s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/"

However, can I would like to have it at index time and not search time...

0 Karma
Reply
Solved! Jump to solution

mcronkrite_splu
Splunk Employee
Splunk Employee
‎10-04-2016 02:45 PM

You can use SEDCMD in props.conf on the indexer to perform this operation on the raw data before it gets indexed.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-23-2016 02:46 AM

pls check this one -
https://answers.splunk.com/answers/870/how-to-normalize-mac-address-format.html

0 Karma
Reply
Solved! Jump to solution

andresito123
Communicator
‎09-23-2016 07:36 AM

I have tried this configuration on transforms.conf but with no luck:

[src_mac]
REGEX = 01([0-9A-Fa-f]{2})[.]([0-9A-Fa-f]{2})([0-9A-Fa-f]{2})[.]([0-9A-Fa-f]{2})([0-9A-Fa-f]{2})[.]([0-9A-Fa-f]{2})
FORMAT = src_mac::$1:$2:$3:$4:$5:$6
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...