Hmm. I think this is just one way you could do it.
| eval m = tostring(MAC)
| eval MAC = substr(m, 0,2).":".substr(m,2,4).":".substr(m,4,6).":".substr(m,6,8).":".substr(m,8,10).":".substr(m,10)
Realise this is a bit late, but came across the same problem and found the below to work as well - might be a bit faster as it's just using one eval?
| eval MAC=replace(MAC, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")
@CyberSekure- this is a great approach. I wrapped this into a macro and use it all the time now!
Hmm. I think this is just one way you could do it.
| eval m = tostring(MAC)
| eval MAC = substr(m, 0,2).":".substr(m,2,4).":".substr(m,4,6).":".substr(m,6,8).":".substr(m,8,10).":".substr(m,10)
you had a typo in there but I see what you're doing. thanks for the help!
this worked:
| eval m = tostring(MAC)
| eval MAC2 = substr(m,1,2).":".substr(m,3,2).":".substr(m,5,2).":".substr(m,7,2).":".substr(m,9,2).":".substr(m,11,2)
Hi guys, I'm trying to accomplish the same thing and something is not working, I only get the first MAC address to show up once I create the table, it formats it correctly but it's not what I want.
sourcetype="corp16arp:mib" | rex "ipNetToMediaPhysAddress.\"\d+\".\"(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\"\s+=\s+\"0x(?\w+)" max_match=0 | eval m = tostring(MAC)
| eval MAC = substr(m,0,2).":".substr(m,3,2).":".substr(m,5,2).":".substr(m,7,2).":".substr(m,9,2).":".substr(m,11,2) | table IP MAC
The following regex takes raw SNMP data and creates two fields, IP and MAC: I omitted the full IP and MAC's for security reasons.
RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000
Any advice on this would help.
Hi @pzharyuk
This question was posted in 2015. If the accepted answer is not working out for you, please post it as a new question so you can get better exposure to your question.
Thanks