Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me with a MAC Address Search in a Spl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with a MAC Address Search in a Splunk dashboard?
Greetings---
I am trying to build a dashboard form for MAC address regardless of format.
The goal is to simply have a form field which a user can enter a MAC address in ANY format and still derive results whether the MAC address is indexed with dashes ("-"), colons (":"), or nothing at all..
e.g.:
00:00:00:00:00:00 OR 00-00-00-00-00-00 OR 000000000000
search $octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$ OR $octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$
This is what I have so far:
https://answers.splunk.com/answers/710676/why-is-my-query-with-the-eval-command-not-replacin.html
AND:
https://answers.splunk.com/answers/588964/how-can-we-make-multiple-mac-address-formats-be-re.html
I have created a form with tokens to split-up the octets on the MAC address:
<search>
<done>
<set token="octet1">$result.octet1$</set>
<set token="octet2">$result.octet2$</set>
<set token="octet3">$result.octet3$</set>
<set token="octet4">$result.octet4$</set>
<set token="octet5">$result.octet5$</set>
<set token="octet6">$result.octet6$</set>
</done>
<query>$macaddress$
| eval MAC=replace("$macaddress$","[^A-Za-z0-9]*","")
| rex field=MAC "^(?<octet1>..)(?<octet2>..)(?<octet3>..)(?<octet4>..)(?<octet5>..)(?<octet6>..)$"
| dedup octet1
| table octet1 octet2 octet3 octet4 octet5 octet6</query>
<earliest>$field2.earliest$</earliest>
<latest>$field2.latest$</latest>
</search>
*Thanks to twinspop
And it looks like it is failing with the EVAL function.
It only seems to find MAC Addresses with colons, but cannot parse mac addresses with any other octet delimiters.
My questions to the community are:
1) "Why is my eval + replace function failing on anything other than a colon?"
And
2) "why hasn't this been done?"....
Maybe I am a newb in asking, but doesn't this seem like a pretty standard thing?
.... Switches, Routers, DHCP, RADIUS... they all use different formats for MAC Address in logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Richard,
Can you use the below search and see whether its working for you. Just change the query portion. Assuming your mac address textbox token name is "macaddress"
| makeresults
| eval mac_address = $macaddress$
| rex max_match=0 field=mac_address "(?<octates>\d\d)[:|-]?"
| eval octet1 = mvindex(octates,0),octet2 = mvindex(octates,1),octet3 = mvindex(octates,2),octet4 = mvindex(octates,3),octet5 = mvindex(octates,4),octet6 = mvindex(octates,5)
| table octet1 octet2 octet3 octet4 octet5 octet6
Sid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BOOM!
Thanks, Sid.
Also, this works best:
| rex max_match=0 field=mac_address "(?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wonder if (?<octates>[A-Fa-f0-9]{2}) might be even 'safer'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even better rex as MAC address going to be hex numbers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool.yep agree with your rex. Have a nice day.
Sid
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
