Hello fellow Splunkers! First post here on the forums.
I've been looking around and trying to do this particular task for over a week but I feel I've hit a wall. I want to be able to edit a text input from a dashboard where user will enter a MAC address with colons, but in search use that same MAC address but without colons. Reason being that the user will get the MAC addresses from sourcetype=linux_syslog
where the field with the MAC address will have have the value with colons: macAddr="a1:b2:c3:d4:e5:f6"
That MAC address will then be used in sourcetype=radius
where the field with the MAC address does NOT have colons: radMacAddr="a1b2c3d4e5f6"
.
I currently use the token of $mac_address$
for the inputted text and use rex to take out the colons: | eval rex_macaddr="$mac_address$" | rex mode=sed field=rex_macaddr "s/://g"
. This creates the field rex_macaddr
with the inputted MAC address to appear without colons (progress for me!).
This is where I hit a wall. I feel I'm going about this the wrong way entirely. When doing it the way in the paragraph above, there will be 2 fields will with same values in sourcetype=radius
.
1. radMacAddr="a1b2c3d4e5f6"
- the original field I need to search through.
2. rex_macaddr="a1b2c3d4e5f6"
- the newly created field from the user text input.
As you can see, this doesn't really help me unless I can create a new token based on the single result of rex_macaddr
. If possible I wouldn't mind trying it out, but I feel I need to reach out and ask more experienced Splunkers on the best way to go about solving my problem.
Thank you all greatly!
Probably a ton of different ways to do this. But one option could be to create a new token when the mac address is entered in the text box, and use that token for your radius search. So, something like this inside your textbox input definition.
<change>
<eval token="t_mac_no_colon">replace($value$,":","")</eval>
</change>
And then use the new $t_mac_no_colon$ token when searching your radius logs. Something like this:
index=your_radius_index sourcetype=your_radius_sourcetype radMacAddr="$t_mac_no_colon$"
test_mac_address
<input type="text" token="field1">
<label>field1</label>
</input>
<panel>
<event>
<search>
<query>index=* host=* sourcetype="*" mac=$field1$</query>
<earliest>1498276800</earliest>
<latest>1498363200</latest>
</search>
</event>
</panel>
Probably a ton of different ways to do this. But one option could be to create a new token when the mac address is entered in the text box, and use that token for your radius search. So, something like this inside your textbox input definition.
<change>
<eval token="t_mac_no_colon">replace($value$,":","")</eval>
</change>
And then use the new $t_mac_no_colon$ token when searching your radius logs. Something like this:
index=your_radius_index sourcetype=your_radius_sourcetype radMacAddr="$t_mac_no_colon$"
Thank you very much maciep! It worked out perfectly. I honestly didn't know about <change>
in simpleXML. I'll add it to my arsenal of knowledge now. My thanks.