Good morning Splunkers!
I need help please! I am working on a dashboard that shows a list of MAC Addresses and sometimes the list is over 100 different addresses depending on the area.
So basically, I need to take multiple rows and put them into one line. I have a table that utilizes the nomv command, but it limits the MAC Addresses to 100. I use this table to drilldown to a custom URL, which is another Splunk instance that passes the list of MAC Addresses into another search for further processing.
Below is what I have to place colons between every two characters of an unformatted MAC Address then throws it into a stats command to list and add " OR " between each one and finally, the nomv takes multivalue fields and puts it into one row. I've played around with using the head and tail command to get as much as I can, however, it is not enough and gives some duplicates if less than 200.
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")
| stats list(MAC_Address) as MAC_Address delim=" OR "
| nomv MAC_Address
I was wondering if there is another command/way that will allow me to take more than 100 and put them into one line to pass through? I am open to other methods such as scripting to accomplish this.
If you want to take a list of mac addresses and format it as a (part of a) search string, use the format
command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
e.g.:
...
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")
| fields MAC_Address
| format
Though this results in MAC_Address=x:x:x:x OR MAC_Address=a:b:c:d etc. So if you don't want that MAC_Address= part, you would have to strip that out again.
If you want to take a list of mac addresses and format it as a (part of a) search string, use the format
command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
e.g.:
...
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")
| fields MAC_Address
| format
Though this results in MAC_Address=x:x:x:x OR MAC_Address=a:b:c:d etc. So if you don't want that MAC_Address= part, you would have to strip that out again.
Thank you for the quick reply! The command works good, but I've found anything over 150 causes a 414 Request-URI Too Large error haha.
Wondering maybe is there a way to select 0-100, 101-200, 201-300, etc?
Right, your problem is with passing this to a URL that is called as a drilldown. You might need to run the sub search that generates the list of mac addresses again as part of the drilldown, rather than passing the list along.