Hello
We are building a search to take a MAC address, evaluate all the potential formats that MAC address may be and take those results to search on
So we start with a MAC address like 00:01:02:03:04:05 and use eval to return all the potential formats
MAC1 0001:0203:0405
MAC2 0001.0203.0405
MAC3 00:01:02:03:04:05
MAC4 00.01.02.03.04.05
MAC5 00-01-02-03-04-05
We have that part sorted can return the MAC1 – 5 values – the search we use is
| eval MAC_to_Search="00:01:02:03:04:05" | dedup MAC_to_Search
| eval SimpleMAC=replace(MAC_to_Search,"\.","")
| eval SimpleMAC=replace(SimpleMAC,"\:","")
| eval SimpleMAC=replace(SimpleMAC,"\-","")
| eval MAC1=trim(substr(SimpleMAC,1,4)+":"+substr(SimpleMAC,5,4)+":"+substr(SimpleMAC,9,4))
| eval MAC2=trim(substr(SimpleMAC,1,4)+"."+substr(SimpleMAC,5,4)+"."+substr(SimpleMAC,9,4))
| eval MAC3=trim(substr(SimpleMAC,1,2)+":"+substr(SimpleMAC,3,2)+":"+substr(SimpleMAC,5,2)+":"+substr(SimpleMAC,7,2)+":"+substr(SimpleMAC,9,2)+":"+substr(SimpleMAC,11,2))
| eval MAC4=trim(substr(SimpleMAC,1,2)+"."+substr(SimpleMAC,3,2)+"."+substr(SimpleMAC,5,2)+"."+substr(SimpleMAC,7,2)+"."+substr(SimpleMAC,9,2)+"."+substr(SimpleMAC,11,2))
| eval MAC5=trim(substr(SimpleMAC,1,2)+"-"+substr(SimpleMAC,3,2)+"-"+substr(SimpleMAC,5,2)+"-"+substr(SimpleMAC,7,2)+"-"+substr(SimpleMAC,9,2)+"-"+substr(SimpleMAC,11,2))| table MAC1 MAC2 MAC3 MAC4 MAC5
Where I am failing is to use these returned values as the basic for a search, so I want to now search on the returned values MAC1, MAC2, MAC3, MAC4, MAC5
I tried
| search (MAC1 OR MAC2 OR MAC3 OR MAC4 OR MAC5) [eval MAC_to_Search="0001:0203:0405" | dedup MAC_to_Search
| eval SimpleMAC=replace(MAC_to_Search,"\.","")
| eval SimpleMAC=replace(SimpleMAC,"\:","")
| eval SimpleMAC=replace(SimpleMAC,"\-","")
| eval MAC1=trim(substr(SimpleMAC,1,4)+":"+substr(SimpleMAC,5,4)+":"+substr(SimpleMAC,9,4))
| eval MAC2=trim(substr(SimpleMAC,1,4)+"."+substr(SimpleMAC,5,4)+"."+substr(SimpleMAC,9,4))
| eval MAC3=trim(substr(SimpleMAC,1,2)+":"+substr(SimpleMAC,3,2)+":"+substr(SimpleMAC,5,2)+":"+substr(SimpleMAC,7,2)+":"+substr(SimpleMAC,9,2)+":"+substr(SimpleMAC,11,2))
| eval MAC4=trim(substr(SimpleMAC,1,2)+"."+substr(SimpleMAC,3,2)+"."+substr(SimpleMAC,5,2)+"."+substr(SimpleMAC,7,2)+"."+substr(SimpleMAC,9,2)+"."+substr(SimpleMAC,11,2))
| eval MAC5=trim(substr(SimpleMAC,1,2)+"-"+substr(SimpleMAC,3,2)+"-"+substr(SimpleMAC,5,2)+"-"+substr(SimpleMAC,7,2)+"-"+substr(SimpleMAC,9,2)+"-"+substr(SimpleMAC,11,2))
| dedup eval_MAC_to_Search MAC1 MAC2 MAC3 MAC4 MAC5 | return MAC1 MAC2 MAC3 MAC4 MAC5]
But getting no returns. Obviously I am making some fundamental error and any help much appreciated
Hi jasonheb,
based on the provided examples:
MAC1 0001:0203:0405
MAC2 0001.0203.0405
MAC3 00:01:02:03:04:05
MAC4 00.01.02.03.04.05
MAC5 00-01-02-03-04-05
You can use regex
to capture the MAC's in a new field called myMAC
in this example:
| gentimes start=-1 | eval foo="MAC1 0001:0203:0405
MAC2 0001.0203.0405
MAC3 00:01:02:03:04:05
MAC4 00.01.02.03.04.05
MAC5 00-01-02-03-04-05" | rex max_match=0 field=foo "(?<myMAC>\d+[\:\.\-][^\r\n\s]+)" | table myMAC
the first line | gentimes start=-1 | eval foo="
is only used to create the field called foo
which will be used by the regex
Hope this helps ...
cheers, MuS