Solved: How to extract mac address from different logs?

marco_massari11 · ‎09-02-2022

Hi,

I'm trying to extract some fields from my Access Point Aruba in order to be CIM compliant. For authentication log I have two kinds of event:

Login failed:

cli[5405]: <341004> <WARN> AP:ML_AP01 <................................> Client 60:f2:62:8c:a8:a7 authenticate fail because RADIUS server authentication failure

Login success:

stm[5434]: <501093> <NOTI> AP:ML_AP01 <..................................> Auth success: 60:f2:62:8c:a8:a7: AP ...................................ML_AP01

My goal is to extract the mac address after "Client" in the first log and the mac after "Auth success" in the second one in a common field called "src", can someone please help me?

Thanks in advance!

ITWhisperer · ‎09-02-2022

| rex "(Client |Auth success: )(?<src>..:..:..:..:..:..)"

View solution in original post

ITWhisperer · ‎09-02-2022

| rex "(Client |Auth success: )(?<src>..:..:..:..:..:..)"

How to extract mac address from different logs?

field extraction

host

props.conf

syslog

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?