Mac address field extraction

dkoski · ‎03-21-2012

So I have a situation where all my logs come in via syslog (sourcetype=syslog, source=udp:514) and are lumped together. The first this I would like to do is to extract a mac address for reporting that can occur anywhere in a dhcpd message. I'm unable to figure out how to flag this easily. Any one have any thoughts? Here are a few examples:

dhcpd: DHCPACK on 10.100.10.12 to 00:00:00:00:00:00 via 10.10.10.10
dhcpd: DHCPREQUEST for 10.20.44.2 from via 10.10.10.12
dhcpd: DHCPDISCOVER from 00:00:00:00:00:00 via 10.44.21.10: network 10.21.23.3/21: no free leases

The other issue at play here is we may want to do this at index time. Is there any easy way to do this since everything is sourcetype=syslog and lumped in with a large number of other types of unrelated log messages (routers, switches, etc).

yannK · ‎01-14-2014

try something like this tat will handle multiple formats.
and format without any separators.

| rex "(?<mac>[a-fA-F0-9\.:-]{12,17})" | rex field=mac mode=sed "s/(\.|:|-)//g"

Ayn · ‎03-21-2012

Can you explain why you want to do it at index-time?

MarioM · ‎03-21-2012

the apps for has got it all : DHCPD App, did you have a look at it?

tbaschak · ‎04-10-2012

This app has gone mysteriously missing recently 😞

Mac address field extraction

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...