Splunk Search

change colon to dash in Search

bulu
New Member

First, let me start by saying I am not a programmer, a Splunk expert, highly experienced with Regex or SED. I say this so you understand if you offer an answer please do not leave any steps out expecting I know what should fill in the blanks.

I get MAC addresses in the format of 00:00:00:00:00:00 but the logs I need to search are in the format of 00-00-00-00-00-00, I'm looking for a way for Search to take the input with colons and convert the colons to dashes before executing the search so we do not have to manually change before executing our search.

Tags (1)
0 Karma

bulu
New Member

If i put the below strings into the search bar it returns the MAC address in the correct format, but it only searches today's logs despite what date range I've selected

| makeresults
| eval mac="a4:fc:77:3b:08:b7"
| rex field=mac mode=sed "s/:/-/g"

_time mac
2020-02-07 16:06:42 a4-fc-77-3b-08-b7

0 Karma

jpolvino
Builder

What does your search look like? The example I posted was to demonstrate using rex to transform your mac.

If you have a search like this:
index=foo sourcetype=bar host=abc
and your mac field is available but in the wrong format, you can adjust it at this point. This is where you would transform it with | rex field=mac mode=sed "s/:/-/g"

0 Karma

jpolvino
Builder

Could you do something like this before you try to use the mac field?

| makeresults
| eval mac="00:00:00:00:00:00"
| rex field=mac mode=sed "s/:/-/g"

If you have a field called mac can it be modified like specified in the rex before you use it?

0 Karma

bulu
New Member

As I said in the beginning, I'm just a beginner with Splunk. I search a DHCP database for the MAC address that had an IP address lease on a certain date. The DHCP database returns the MAC in the format a4:fc:77:3b:08:b7, I'm looking for a search string to search the Splunk logs on a specific date, currently I'm running the search below but I have to manually change the colons into dashes:

index=foo "a4-fc-77-3b-08-b7"

Everything I've tried so far has either failed or not returned the required information.

0 Karma

jethrop
Explorer
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...