Good morning Splunkers!
I need help sorting through a list of MAC Addresses. I have a dashboard that lists them in a drilldown table. I have some list of 900 MAC Addresses and using the command below helps me pass the search results to another instance of Splunk to insert them into a search.
However, I am getting 414 errors for the URI being too long if there are more than 120 MAC Addresses used.
| eval MAC_UNIT=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")
| fields MAC_UNIT
| format
My question: is there a way to select a range of values/results? I'd like to use radio buttons to select results 0-100, 101-200, 201-300, etc.
You could use a search command like accum
to number the lines and allow you to further your search.
For example:
your search... | eval number=1 | accum number | where number < 100 AND number > 0
This should look like this
1 MAC1
2 MAC2
3 MAC3
...
900 MAC900
This allows you to pick which range you want to send over and ensure its less than 120.
In the dashboard, you would probably want to create a radio button (to simulate range of MAC's using patterns of mac address). Alternatively, if you can have them in a lookuptable with macaddress, id , where id is from 1 to 900 and macaddress is your macaddr. In the drill-down you can look for macaddress from id=1 to id<99 etc..
You could use a search command like accum
to number the lines and allow you to further your search.
For example:
your search... | eval number=1 | accum number | where number < 100 AND number > 0
This should look like this
1 MAC1
2 MAC2
3 MAC3
...
900 MAC900
This allows you to pick which range you want to send over and ensure its less than 120.
Sweet! This helps give them a unique number aka ID and I can use change conditions on the backend and play around with tokens to get the results I need! Thanks a bunch!
Any time @jkcadaing! Best of luck and Happy Splunking!