Splunk Search

How to extract MAC addresses from a log that has all values delimited by a comma, but the order of fields can change?

Explorer

Hi,

I am trying to extract MAC addresses from a log that has all the values separated by a comma. I would use the delimiter for creating the field, but the order of the fields change from time to time, and the values might be switched around. Is there any way to use REGEX to extract the MAC address? I tried several things on the REGEX extraction page, but had no luck. It works, but it doesn't recognize all the MACS, only some. Any ideas on how I can fix this? Thanks!

0 Karma
1 Solution

Communicator

Without seeing an example of the MAC address format you're trying to parse we'll just be guessing but this might work for the common MAC formats. Set up a field extraction on that sourcetype and use this as the regex:

(?P<device_mac>[a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2})

View solution in original post

Communicator

Without seeing an example of the MAC address format you're trying to parse we'll just be guessing but this might work for the common MAC formats. Set up a field extraction on that sourcetype and use this as the regex:

(?P<device_mac>[a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2})

View solution in original post

Explorer

Thanks for the reply. I thought I had added the format in my other comment, but I guess I didn't. The format it aa-bb-cc-dd-ee-ff. This regex extracts the first instance of a MAC, but it ignores the second instance, and the second MAC is what I need to extract. Do you know of any way I can extract the second field that matches the pattern? Thanks!

0 Karma

Communicator

You didn't say anything about there being more than one MAC address in your events in any of your posts, so the regex didn't account for that. You also said that the order they appear in changes, so how do you know it will always be the second MAC address in the event?

This will extract both into separate fields:

(?P<device_mac>([\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2})).*(?P<device_mac2>([\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}))

Explorer

It's kind of tricky. It will always be the second MAC in the log, but there may be 1 item in between the two MACs or there may be 3 items in between. It just depends on the log. But that works beautifully. Sorry I wasn't more clear about it in my original post. Thank you very much!

0 Karma

Communicator

That's great. If you are satisfied with the answer, can you mark my response as such? Few people following this question.

0 Karma

Community Manager
Community Manager

Converted your comment to an official answer and accepted it 🙂

Cheers

0 Karma

Motivator

Can you post the format of the mac address itself? is it like ab:cd:ef:gh:ij:kl OR abcd:efgh:ijkl OR ab-cd-ef-gh-ij-kl? etc....Based on the format (doesn't matter where it is) that would be helpful.

This is what i use.

| rex "(?[a-fA-F0-9\.:-]{12,17})" | rex field=mac mode=sed "s/(\.|:|-)//g" 

You can use mode=sed or use replace command as well.

Thanks,
Raghav

0 Karma

Explorer

Sorry for the late response; I've been fiddling around with this for about a week, trying similar regex patterns and such with no luck. I still can't separate the MAC addresses into a field. I would liek it to say something like "device_mac=MACADDRESS" underneath the log itself, but when I use REGEX, sometimes it works, and other times it doesn't pick up anything. Am I out of luck?

0 Karma