Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reformat a field

fk319
Builder
‎03-01-2012 12:57 PM

My logs contain mac addresses. Sometimes they have colons and sometimes dots.
I want to build a view where the user inputs a mac and is able to search for both formats.

I looked at rewriting the mac with out colons in props.conf/transforms.conf, but could not figure out a method.

It looks like I am going to have to do it in the view, create a new field a mac with colons, and search for both.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 01:42 PM

Try using something like the following, assuming that the user input in is $X$ and that the MAC address in the event has been extracted into a field named macAddr:

<your base search> | eval testMac = replace($X$,":",".") | where match(macAddr,testMac)

The eval command takes the user input, which is assumed to be in the form 00:B0:D0:86:BB:F7, and replaces the colons with dot (.)

The dot is the "match anything" character in regular expressions, so now the testMac field looks like 00.B0.D0.86.BB.F7 - as a regular expression, this will match anything as a separator.

The where command uses the match function to see if the macAddr field in the event matches the pattern. If yes, the event is returned, otherwise it is excluded from the search results.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2012 01:42 PM

Try using something like the following, assuming that the user input in is $X$ and that the MAC address in the event has been extracted into a field named macAddr:

<your base search> | eval testMac = replace($X$,":",".") | where match(macAddr,testMac)

The eval command takes the user input, which is assumed to be in the form 00:B0:D0:86:BB:F7, and replaces the colons with dot (.)

The dot is the "match anything" character in regular expressions, so now the testMac field looks like 00.B0.D0.86.BB.F7 - as a regular expression, this will match anything as a separator.

The where command uses the match function to see if the macAddr field in the event matches the pattern. If yes, the event is returned, otherwise it is excluded from the search results.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-07-2012 12:52 PM

Nice solution with the macros

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎03-07-2012 05:15 AM

What I ended up doing was creating two macros, one to strip out the colons and one that put them in. I was then able to include it in my search:
(macStrip($mac$) OR macColons($mac$)) |
I have to many macs in my logs to do a search and match. Thank you for your help.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-02-2012 03:09 PM

| eval testMac = replace($X$,":",".{0,1}") |
where match(macAddr,testMac)

should work then

0 Karma
Reply
Solved! Jump to solution

fk319
Builder
‎03-01-2012 02:09 PM

the problem is in the mac is both ways in the logs, so my search is:
mac="00:B0:D0:86:BB:F7" OR mac="00B0D086BBF7"

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...