Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Reformat a field

fk319
Builder
‎03-01-2012 12:57 PM

My logs contain mac addresses. Sometimes they have colons and sometimes dots.
I want to build a view where the user inputs a mac and is able to search for both formats.

I looked at rewriting the mac with out colons in props.conf/transforms.conf, but could not figure out a method.

It looks like I am going to have to do it in the view, create a new field a mac with colons, and search for both.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 01:42 PM

Try using something like the following, assuming that the user input in is $X$ and that the MAC address in the event has been extracted into a field named macAddr:

<your base search> | eval testMac = replace($X$,":",".") | where match(macAddr,testMac)

The eval command takes the user input, which is assumed to be in the form 00:B0:D0:86:BB:F7, and replaces the colons with dot (.)

The dot is the "match anything" character in regular expressions, so now the testMac field looks like 00.B0.D0.86.BB.F7 - as a regular expression, this will match anything as a separator.

The where command uses the match function to see if the macAddr field in the event matches the pattern. If yes, the event is returned, otherwise it is excluded from the search results.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 01:42 PM

Try using something like the following, assuming that the user input in is $X$ and that the MAC address in the event has been extracted into a field named macAddr:

<your base search> | eval testMac = replace($X$,":",".") | where match(macAddr,testMac)

The eval command takes the user input, which is assumed to be in the form 00:B0:D0:86:BB:F7, and replaces the colons with dot (.)

The dot is the "match anything" character in regular expressions, so now the testMac field looks like 00.B0.D0.86.BB.F7 - as a regular expression, this will match anything as a separator.

The where command uses the match function to see if the macAddr field in the event matches the pattern. If yes, the event is returned, otherwise it is excluded from the search results.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-07-2012 12:52 PM

Nice solution with the macros

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎03-07-2012 05:15 AM

What I ended up doing was creating two macros, one to strip out the colons and one that put them in. I was then able to include it in my search:
(macStrip($mac$) OR macColons($mac$)) |
I have to many macs in my logs to do a search and match. Thank you for your help.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-02-2012 03:09 PM

| eval testMac = replace($X$,":",".{0,1}") |
where match(macAddr,testMac)

should work then

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎03-01-2012 02:09 PM

the problem is in the mac is both ways in the logs, so my search is:
mac="00:B0:D0:86:BB:F7" OR mac="00B0D086BBF7"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...