All Apps and Add-ons

How to extract MAC address from log file?

lwm4p
Path Finder

I am really new to Splunk, but I have searched the questions here and don't seem to find an answer to my problem. I have just started the online sandbox and am messing around with a log file from one of our applications (so it is a custom log file).

A line in the log file looks like this:

[08/03/14 03:07:49, 127.0.0.1, N/A] [Source: 10.50.2.15:55000] PresenceSensor: Sensor 00:00:CC:DD:00:00 rebooted

What I want to do is extract the MAC Address from this line and then create a bar graph showing when this line was recorded for a particular MAC Address.

I loaded in the file and I see the indexed data. It automatically separated the date out and the rest of the stuff is in the 'Event' column. I created an Extract Field with this config:

Trace : EXTRACT-mac_address Inline ([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$ admin search Global | Permissions Enabled

Now, I go back the search area and I don't see this field anywhere. Isn't it supposed to just show up? How do I make use of this extracted field?
- I have check the sourcetype
- I have opened up the 'More Fields' area and it is not there even with the 'All fields' option at the top
- I have adjusted the permissions (they are completely global and for every app)

What am I missing? It is probably something obvious, so please be gentle.

1 Solution

lwm4p
Path Finder

Well, I have figured out a few things last night that helped me understand why things sometimes don't show.. writing it here for other newbies to reference. Thanks to everyone for responding, the answers definitely helped me eliminate things:

  • The regex for an extracted field has to be perfect, or the field will not show. I started using an app that helps me write the extractions (search in the app area) and that helped out a lot.
  • Using the cloud version is a bit tough because I didn't have access to the props.conf. When I installed locally, I could watch when files changed and understand where I should be putting different configuration stuff.
  • Get the permissions correct, both on the field itself AND on the config files! For some reason, I would enter an extract field in teh GUI and no files were getting written... I changed the permissions at the OS level and it worked.
  • The field will NOT show if the current set of data on the screen doesn't have it in the events. You must filter in search (by time or whatever) to get that event in the current area. Then the field shows. This goes for all fields, they are dynamic based on what data is up at the time, it doesn't just show all fields for your sourcetype all the time.
  • A great quick tester for regex is notepad++ (I am sure there are others, but I already use that for other things). It is on the 'find' window, where you can enter your regex and search the file for it, verifying that works.

View solution in original post

lwm4p
Path Finder

Well, I have figured out a few things last night that helped me understand why things sometimes don't show.. writing it here for other newbies to reference. Thanks to everyone for responding, the answers definitely helped me eliminate things:

  • The regex for an extracted field has to be perfect, or the field will not show. I started using an app that helps me write the extractions (search in the app area) and that helped out a lot.
  • Using the cloud version is a bit tough because I didn't have access to the props.conf. When I installed locally, I could watch when files changed and understand where I should be putting different configuration stuff.
  • Get the permissions correct, both on the field itself AND on the config files! For some reason, I would enter an extract field in teh GUI and no files were getting written... I changed the permissions at the OS level and it worked.
  • The field will NOT show if the current set of data on the screen doesn't have it in the events. You must filter in search (by time or whatever) to get that event in the current area. Then the field shows. This goes for all fields, they are dynamic based on what data is up at the time, it doesn't just show all fields for your sourcetype all the time.
  • A great quick tester for regex is notepad++ (I am sure there are others, but I already use that for other things). It is on the 'find' window, where you can enter your regex and search the file for it, verifying that works.

lwm4p
Path Finder

Ran that it is got rid of all the indexed stuff... at least, it then showed zero events and the data screen said 'Waiting for Data'. I reloaded the log file in, checked to make sure the extraction field was still there, and then to the search area. Still has the defaults and my field does not show. I feel like I am missing something simple... I really appreciate your help on this. Maybe this is a problem with the cloud sandbox instance?

0 Karma

somesoni2
Revered Legend

Can you try running this and see if the field appears?

sourcetype=Trace | extract reload=t

0 Karma

lwm4p
Path Finder

Hmm... still doesn't show up. I modified my extraction field to the below and then went back to the search area and only the regular fields are there.

https://www.dropbox.com/s/h821lgztz2tm5ef/extraction_field.PNG

which has these params:
Trace : EXTRACT-mac_address
Inline

Sensor (?(d|w{2}):(d|w{2}):(d|w{2}):(d|w{2}):(d|w{2}):(d|w{2})) rebooted

admin
search
Global | Permissions
Enabled

Here is a pic of my search screen:
https://www.dropbox.com/s/3314frx2bea5psf/Search_Screen.PNG

0 Karma

somesoni2
Revered Legend

I was coming to that 🙂

Now, create the field extraction with following configuration:
Name: mac_address
Sourcetype: Trace
Type: Inline
Extraction/Transform:Sensor (?(d|w{2}):(d|w{2}):(d|w{2}):(d|w{2}):(d|w{2}):(d|w{2})) rebooted

And you should see the field extracted automatically on the sidebar. (Basically, use whatever you mentioned in rex command in the field extraction regex)

0 Karma

lwm4p
Path Finder

When I test this:
sourcetype=Trace | rex "Sensor (?(\d|\w{2}):(\d|\w{2}):(\d|\w{2}):(\d|\w{2}):(\d|\w{2}):(\d|\w{2})) rebooted"

It creates a field called 'example_mac' that shows on the left... While that is not surprising, it still leaves my original question open. I defined an extraction field called mac_address and that does not show up anywhere and does not seem to be able to be used. ??

0 Karma

lwm4p
Path Finder

I put in this string:
sourcetype=Trace | table _raw | rex "Sensor (?([0-9A-F]{2}[:-]){5}([0-9A-F]{2}))"

I get every event returned, the field does not show up in the search field list, and my other field 'mac_address' goes away.

0 Karma

somesoni2
Revered Legend

Can you test following and tell me if you get the field MAC_ADDR?

your base search | table _raw | rex "(?([0-9A-F]{2}[:-]){5}([0-9A-F]{2}))"

0 Karma

lwm4p
Path Finder

I finally got the field to show up... but am not really sure why or if it is even the configured extraction field. All I did was put this line in:
sourcetype=Trace | rex "Sensor (?(\d|\w{2}):(\d|\w{2}):(\d|\w{2}):(\d|\w{2}):(\d|\w{2}):(\d|\w{2})) rebooted"

All of a sudden, the field is now present on the left side of the search area and I could click on it and ask to graph it over time... got my graph. If anyone can explain that, please do.

0 Karma

AlyssaR
Explorer

Have you verified that it's extracting events properly now? Use the IFX tool, which you get to by clicking the Extract Fields menu option on an event in search.

lwm4p
Path Finder

OK, I have changed the regex for the extract field to that, thank you. My original problem still exists though, where this new field does not show up for me in the list of fields for search, how do I get it to show there?

0 Karma

sk314
Builder

try this regex.([A-F0-9]{2}[:-]){5}[A-F0-9]{2}

lwm4p
Path Finder

ok, I am sure the regex is probably not correct. Will bad regex mean that the extract field does not even show? I guess I was expecting the field to show and then just have zero results or an error if the regex was bad... but the field not showing up at all made me think I have an earlier step wrong.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your regex says to expect the MAC address at the end of the line, but the MAC address is not at the end.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...