Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reformat a field

fk319
Builder
‎03-01-2012 12:57 PM

My logs contain mac addresses. Sometimes they have colons and sometimes dots.
I want to build a view where the user inputs a mac and is able to search for both formats.

I looked at rewriting the mac with out colons in props.conf/transforms.conf, but could not figure out a method.

It looks like I am going to have to do it in the view, create a new field a mac with colons, and search for both.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 01:42 PM

Try using something like the following, assuming that the user input in is $X$ and that the MAC address in the event has been extracted into a field named macAddr:

<your base search> | eval testMac = replace($X$,":",".") | where match(macAddr,testMac)

The eval command takes the user input, which is assumed to be in the form 00:B0:D0:86:BB:F7, and replaces the colons with dot (.)

The dot is the "match anything" character in regular expressions, so now the testMac field looks like 00.B0.D0.86.BB.F7 - as a regular expression, this will match anything as a separator.

The where command uses the match function to see if the macAddr field in the event matches the pattern. If yes, the event is returned, otherwise it is excluded from the search results.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 01:42 PM

Try using something like the following, assuming that the user input in is $X$ and that the MAC address in the event has been extracted into a field named macAddr:

<your base search> | eval testMac = replace($X$,":",".") | where match(macAddr,testMac)

The eval command takes the user input, which is assumed to be in the form 00:B0:D0:86:BB:F7, and replaces the colons with dot (.)

The dot is the "match anything" character in regular expressions, so now the testMac field looks like 00.B0.D0.86.BB.F7 - as a regular expression, this will match anything as a separator.

The where command uses the match function to see if the macAddr field in the event matches the pattern. If yes, the event is returned, otherwise it is excluded from the search results.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-07-2012 12:52 PM

Nice solution with the macros

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎03-07-2012 05:15 AM

What I ended up doing was creating two macros, one to strip out the colons and one that put them in. I was then able to include it in my search:
(macStrip($mac$) OR macColons($mac$)) |
I have to many macs in my logs to do a search and match. Thank you for your help.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-02-2012 03:09 PM

| eval testMac = replace($X$,":",".{0,1}") |
where match(macAddr,testMac)

should work then

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎03-01-2012 02:09 PM

the problem is in the mac is both ways in the logs, so my search is:
mac="00:B0:D0:86:BB:F7" OR mac="00B0D086BBF7"

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...