Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Extract Mac Address Field from Cisco Mac Address Notification Traps

lim23
New Member
‎04-23-2012 01:32 PM

Hello,

I am trying to extract the mac address from the following snmp trap. The mac address is embedded in the Hex-STRING. I want to skip over the first two octets after 'Hex-STRING' and use the following 6 octets. The first two: 02 00, can be diffrent depending on which switch is sending the snmp trap.

In this case, the MAC address that I would like to capture is:
91 08 00 11 19 D3.

2012-04-23 13:08:11 test-switch [192.18.foo.foo] (via UDP: [192.18.foo.foo]:55287) TRAP, SNMP v1, community blah    SNMPv2-SMI::enterprises.9.9.215.2 Enterprise Specific Trap (1) Uptime: 384 days, 23:02:38.16    SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.0 = Hex-STRING: 02 00 91 08 00 11 19 D3 35 00 12 00

The following REX Does NOT give me what I want:
(?i).*? (?P\s+\s+\d+\s+[a-f0-9]+\s+[a-f0-9]+\s+\d+\s+[a-f0-9]+)\s+\d+\s+\d+

Tags (3)
0 Karma
Reply

lim23
New Member
‎04-24-2012 02:57 PM

Thanks for your response Kristian. I used your regex to build a little table to parse out the Cisco mac notification snmp-trap.

The 12 byte hex string has the following information in it.

first byte = operation (01 for added and 02 for removed mac address from its arp tables)
second+third byte = VLan (In HEX)
fourth-ninth byte = MAC Address
tenth-eleventh byte = Switch Interface (In HEX)
twelfth byte = operation (never seen this byte used)

Here is what I did with your help.

my_search | rex "Hex-STRING:(?[\sa-fA-F0-9]{3})(?[\sa-fA-F0-9]{6})(?[\sa-fA-F0-9]{18})(?[\sa-fA-F0-9]{6})" | rex "(?i)(?P[^ ]+)\s+(?:\[[^\n\[]*){2}" | eval ACTION2=replace(ACTION1,"01","Added") | eval ACTION=replace(ACTION2,"02","Removed") | eval VLAN1=replace(VLAN_HEX,"\s","") | eval PORT1=replace(PORT_HEX,"\s","") | eval PORT=tonumber(PORT1, 16) | eval VLAN=tonumber(VLAN1, 16) | table _time, MAC_ADDRESS, ACTION, VLAN, PORT, SWITCH

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-26-2012 12:02 AM

Please mark as answered and/or upvote if your problem was solved, thanks.

/kristian

0 Karma
Reply

lim23
New Member
‎04-25-2012 01:30 PM

Thanks, I have included my search and rex, in case anyone out there is looking to use Splunk for real time end user tracking.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-25-2012 12:08 AM

Good that it worked for you. Perhaps you could tidy it up a little more by not including the whitespace in the fields you extract, i.e. do;
Hex-String:\s(?\d\d)\s+(?[a-fA-F0-9]{5})\s etc etc

Anyway, please mark the question as answered a/o upvote if your problem was solved. Thanks.

/kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-24-2012 01:42 AM

Hi,

Your regex looks a bit complex, and also there are 2 \s+ as the first parts of the field you wish to extract. Also, there is the possibility that A-F may occur in other places than where you specified. Finally, your regex is not anchoring to any particular point in the event, so you could get strange results.

You could try it as a rex extraction:

your_search | rex "Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})"

or in props.conf

[your_sourcetype] 
EXTRACT-cisco_MAC = Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})

Hope this helps,

Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...