Splunk Search

How can we make multiple MAC address formats be readable in one search, regardless of format?

rpquinlan
Path Finder

I'm still pretty new so the answer is probably easy, but am stuck trying to making this search form work. The goal is to allow our users to enter a MAC address in any format such as:
0030652afccb
00:30:65:2a:fc:cb
00-30-65-2a-fc-cb
00 30 65 2a fc cb
0030.652a.fccb
and have it search across the index for anything that matches (which could be in most of the above formats), and display the log messages that match. For the sake of simplicity, we'll say the index=network (but it's really several indexes) Not all of the MAC addresses are parsed into searchable fields in all the indexes, so we are free-text searching.

My thought is the best way to accomplish this is to:

  1. In the form, the user enters (or pastes) the MAC address into the field, giving it the token of $mac_address$.
  2. Take the entered MAC and convert it to a concatenated mac, (i.e. 0030652afccb) for easy rex'ing. (tested - this works, thanks @wrangler2x ) eval MAC=replace("$mac_address$","[\s.:-]","")
  3. extract the 6 octets of the MAC address into 6 fields - (tested and works) rex field=MAC "^(?<octet1>..)(?<octet2>..)(?<octet3>..)(?<octet4>..)(?<octet5>..)(?<octet6>..)$"
  4. Perform a search using the contents of the 6 extracted octet fields (this is where I'm stuck) - index=network "$octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$" OR "$octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$" OR "$octet1$$octet2$.$octet3$$octet4$.$octet5$$octet6$" OR "$octet1$$octet2$$octet3$$octet4$$octet5$$octet6$"

I'm stuck trying to get the 6 extracted octet values to populate the search in step 3. If this matters, I'm building it in an XML form, but only the search query isn't working..

Thanks in advance!

0 Karma

DalJeanis
Legend

Run each of the tests one at a time and see which one kills it. I believe the issue may be with the last one, because I've had problems with two tokens together. The middle dollar signs together might be what is messing it up. You may have to extract the double-octets separately and use them that way.

$octet1$$octet2$
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Are you sure that step #2 is producing the results you want? That seems like a question about something obvious, but your step #3 seems to be fine. That's why I ask that question.

0 Karma

rpquinlan
Path Finder

I typo'd the original question.

What I meant to say was "I'm stuck trying to get the 6 extracted octet values to populate the search in step 4"
1, 2, 3 seem to be doing what I need them to. Sorry about that!

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @rpquinlan, Can you let me know approximately what time you posted when your comment disappeared? I'll investigate the platform records.

0 Karma

rpquinlan
Path Finder

Browser cache issue I think.. it's there now.. my apologies.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

So the values for the octets need to be in tokens in order to use $octet1$ (for example). Have you done that in your dashboard?

0 Karma

rpquinlan
Path Finder

I'm quite sure I have not done that. Are you able to help with how, since the octets are created by the rex in the query? I'm stuck trying to figure that out.

0 Karma

richardphung
Communicator

@rpquinlan did you ever get this figured out?
I am also trying to do a multi-format search via dashboard and I got about as far as your last post.

Thanks.

0 Karma

rpquinlan
Path Finder

When I added something like this to the search

| table octet1,octet2,octet3,octet4,octet5,octet6,_raw

it did populate those 6 columns with a broken out version of the MAC address I entered.. Perhaps I'm just failing in trying to create the entire search string?

My whole query is:
index=network "$octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$" OR "$octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$" OR "$octet1$$octet2$.$octet3$$octet4$.$octet5$$octet6$" OR "$octet1$$octet2$$octet3$$octet4$$octet5$$octet6$"
| eval MAC=replace("$mac_address$","[\s.:-]","")
| rex field=MAC "^(?<octet1>..)(?<octet2>..)(?<octet3>..)(?<octet4>..)(?<octet5>..)(?<octet6>..)$"

But when I submit this, nothing happens.. "Search is waiting for input"

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...