@CyberSekure- this is a great approach. I wrapped this into a macro and use it all the time now!

you had a typo in there but I see what you're doing. thanks for the help!

this worked:

| eval m = tostring(MAC)
| eval MAC2 = substr(m,1,2).":".substr(m,3,2).":".substr(m,5,2).":".substr(m,7,2).":".substr(m,9,2).":".substr(m,11,2)

Hi guys, I'm trying to accomplish the same thing and something is not working, I only get the first MAC address to show up once I create the table, it formats it correctly but it's not what I want.

sourcetype="corp16arp:mib" | rex "ipNetToMediaPhysAddress.\"\d+\".\"(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\"\s+=\s+\"0x(?\w+)" max_match=0 | eval m = tostring(MAC)
| eval MAC = substr(m,0,2).":".substr(m,3,2).":".substr(m,5,2).":".substr(m,7,2).":".substr(m,9,2).":".substr(m,11,2) | table IP MAC

The following regex takes raw SNMP data and creates two fields, IP and MAC: I omitted the full IP and MAC's for security reasons.

RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000

Any advice on this would help.

Hi @pzharyuk

This question was posted in 2015. If the accepted answer is not working out for you, please post it as a new question so you can get better exposure to your question.

Thanks