Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Searching on results of EVAL command
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Searching on results of EVAL command
jasonheb
Explorer
09-22-2015
03:25 PM
Hello
We are building a search to take a MAC address, evaluate all the potential formats that MAC address may be and take those results to search on
So we start with a MAC address like 00:01:02:03:04:05 and use eval to return all the potential formats
MAC1 0001:0203:0405
MAC2 0001.0203.0405
MAC3 00:01:02:03:04:05
MAC4 00.01.02.03.04.05
MAC5 00-01-02-03-04-05
We have that part sorted can return the MAC1 – 5 values – the search we use is
| eval MAC_to_Search="00:01:02:03:04:05" | dedup MAC_to_Search
| eval SimpleMAC=replace(MAC_to_Search,"\.","")
| eval SimpleMAC=replace(SimpleMAC,"\:","")
| eval SimpleMAC=replace(SimpleMAC,"\-","")
| eval MAC1=trim(substr(SimpleMAC,1,4)+":"+substr(SimpleMAC,5,4)+":"+substr(SimpleMAC,9,4))
| eval MAC2=trim(substr(SimpleMAC,1,4)+"."+substr(SimpleMAC,5,4)+"."+substr(SimpleMAC,9,4))
| eval MAC3=trim(substr(SimpleMAC,1,2)+":"+substr(SimpleMAC,3,2)+":"+substr(SimpleMAC,5,2)+":"+substr(SimpleMAC,7,2)+":"+substr(SimpleMAC,9,2)+":"+substr(SimpleMAC,11,2))
| eval MAC4=trim(substr(SimpleMAC,1,2)+"."+substr(SimpleMAC,3,2)+"."+substr(SimpleMAC,5,2)+"."+substr(SimpleMAC,7,2)+"."+substr(SimpleMAC,9,2)+"."+substr(SimpleMAC,11,2))
| eval MAC5=trim(substr(SimpleMAC,1,2)+"-"+substr(SimpleMAC,3,2)+"-"+substr(SimpleMAC,5,2)+"-"+substr(SimpleMAC,7,2)+"-"+substr(SimpleMAC,9,2)+"-"+substr(SimpleMAC,11,2))| table MAC1 MAC2 MAC3 MAC4 MAC5
Where I am failing is to use these returned values as the basic for a search, so I want to now search on the returned values MAC1, MAC2, MAC3, MAC4, MAC5
I tried
| search (MAC1 OR MAC2 OR MAC3 OR MAC4 OR MAC5) [eval MAC_to_Search="0001:0203:0405" | dedup MAC_to_Search
| eval SimpleMAC=replace(MAC_to_Search,"\.","")
| eval SimpleMAC=replace(SimpleMAC,"\:","")
| eval SimpleMAC=replace(SimpleMAC,"\-","")
| eval MAC1=trim(substr(SimpleMAC,1,4)+":"+substr(SimpleMAC,5,4)+":"+substr(SimpleMAC,9,4))
| eval MAC2=trim(substr(SimpleMAC,1,4)+"."+substr(SimpleMAC,5,4)+"."+substr(SimpleMAC,9,4))
| eval MAC3=trim(substr(SimpleMAC,1,2)+":"+substr(SimpleMAC,3,2)+":"+substr(SimpleMAC,5,2)+":"+substr(SimpleMAC,7,2)+":"+substr(SimpleMAC,9,2)+":"+substr(SimpleMAC,11,2))
| eval MAC4=trim(substr(SimpleMAC,1,2)+"."+substr(SimpleMAC,3,2)+"."+substr(SimpleMAC,5,2)+"."+substr(SimpleMAC,7,2)+"."+substr(SimpleMAC,9,2)+"."+substr(SimpleMAC,11,2))
| eval MAC5=trim(substr(SimpleMAC,1,2)+"-"+substr(SimpleMAC,3,2)+"-"+substr(SimpleMAC,5,2)+"-"+substr(SimpleMAC,7,2)+"-"+substr(SimpleMAC,9,2)+"-"+substr(SimpleMAC,11,2))
| dedup eval_MAC_to_Search MAC1 MAC2 MAC3 MAC4 MAC5 | return MAC1 MAC2 MAC3 MAC4 MAC5]
But getting no returns. Obviously I am making some fundamental error and any help much appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
SplunkTrust
09-22-2015
05:08 PM
Hi jasonheb,
based on the provided examples:
MAC1 0001:0203:0405
MAC2 0001.0203.0405
MAC3 00:01:02:03:04:05
MAC4 00.01.02.03.04.05
MAC5 00-01-02-03-04-05
You can use regex to capture the MAC's in a new field called myMAC in this example:
| gentimes start=-1 | eval foo="MAC1 0001:0203:0405
MAC2 0001.0203.0405
MAC3 00:01:02:03:04:05
MAC4 00.01.02.03.04.05
MAC5 00-01-02-03-04-05" | rex max_match=0 field=foo "(?<myMAC>\d+[\:\.\-][^\r\n\s]+)" | table myMAC
the first line | gentimes start=-1 | eval foo=" is only used to create the field called foo which will be used by the regex
Hope this helps ...
cheers, MuS
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
