Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Match the First three characters of a MAC address within a lookup table field

leykmekoo
Explorer
‎06-16-2024 01:59 PM

Hello, 

I have a lookup table where a list of MAC addresses are listed with the associated Vendors; basically an identifier. However, the mac address in this lookup table (column name is 'prefix') only has the three characters - xx:xx:xx. What I'm trying to do is write a query to find devices that were assigned/renewed an IP address from the DHCP server and based on their Mac address information in the result, identify the vendor. I was able to filter the first three characters from the result but when adding the lookup table to enrich the result with the Vendor information, I'm getting zero results. What am I doing wrong here? Thanks in advance! 

index=some_dhcp description=renew

| eval d_mac=dest_mac

| rex field=d_mac "(?P<d_mac>([0-9-Fa-f]{2}[:-]){3})"

| lookup vendor.csv Prefix as d_mac OUTPUT Prefix Vendor_Name

| search Prefix=*

| table date dest_mac Vendor_Name description
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2024 05:56 PM

Does your lookup definition contain nnn* or just nnn - to use wildcard, the lookup itself should have an asterisk

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2024 05:56 PM

Does your lookup definition contain nnn* or just nnn - to use wildcard, the lookup itself should have an asterisk

Reply
Solved! Jump to solution

leykmekoo
Explorer
‎06-17-2024 11:22 AM

Adding a wildcard to a 1000+ lookup table was a pain 😶 but that seems to resolve the issue i was having. 😊😊 It's a good lesson as well. Thank you and everyone for your recommendations!! 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-17-2024 03:28 PM

@leykmekoo A tip for the future 😀

| inputlookup your_lookup
| eval your_wildcard_field=your_wildcard_field."*"
| outputlookup your_lookup

 

Reply
Solved! Jump to solution

leykmekoo
Explorer
‎06-17-2024 07:02 PM

Great! Thanks! 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-16-2024 03:19 PM

Have you set up the Prefix field to match_type WILDCARD? See Share a lookup table file with apps.

0 Karma
Reply
Solved! Jump to solution

leykmekoo
Explorer
‎06-16-2024 04:49 PM

Yes, I've created a lookup definition and set the Match type as 'WILDCARD(Prefix)'. However, I'm still not getting results. When commenting out the lookup, I get results. 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top