Solved: How do I create a Field for Mac Address?

mayler · ‎12-09-2010

The mac address format for all of my logs is xx:xx:xx:xx:xx:xx

AUTHORIZATION-SUCCESS: user: airport; mac: e8:06:88:8a:17:97; author reason: new session; ssid: slo_airport; AP 32/1

AUTHORIZATION-SUCCESS: user: airport; mac: 00:1c:b3:be:08:2c; author reason: new session; ssid: slo_airport; AP 32/2

I'm trying to " my search string " | stats distinct_count(mac)

I would think that the mac address would be a "pre-built" field. Thanks.

ftk · ‎12-09-2010

You can extract the mac address using rex as such:

your search string | rex "mac: (?<mac>\S+);" | stats distinct_count(mac)

ftk · ‎12-09-2010

You can extract the mac address using rex as such:

your search string | rex "mac: (?<mac>\S+);" | stats distinct_count(mac)

mayler · ‎12-09-2010

Thank you very very very much.

How do I create a Field for Mac Address?