Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

change colon to dash in Search

bulu
New Member
‎02-07-2020 10:48 AM

First, let me start by saying I am not a programmer, a Splunk expert, highly experienced with Regex or SED. I say this so you understand if you offer an answer please do not leave any steps out expecting I know what should fill in the blanks.

I get MAC addresses in the format of 00:00:00:00:00:00 but the logs I need to search are in the format of 00-00-00-00-00-00, I'm looking for a way for Search to take the input with colons and convert the colons to dashes before executing the search so we do not have to manually change before executing our search.

Tags (1)
0 Karma
Reply

bulu
New Member
‎02-07-2020 01:09 PM

If i put the below strings into the search bar it returns the MAC address in the correct format, but it only searches today's logs despite what date range I've selected

| makeresults
| eval mac="a4:fc:77:3b:08:b7"
| rex field=mac mode=sed "s/:/-/g"

_time mac
2020-02-07 16:06:42 a4-fc-77-3b-08-b7

0 Karma
Reply

jpolvino
Builder
‎02-07-2020 01:43 PM

What does your search look like? The example I posted was to demonstrate using rex to transform your mac.

If you have a search like this:
index=foo sourcetype=bar host=abc
and your mac field is available but in the wrong format, you can adjust it at this point. This is where you would transform it with | rex field=mac mode=sed "s/:/-/g"

0 Karma
Reply

jpolvino
Builder
‎02-07-2020 12:31 PM

Could you do something like this before you try to use the mac field?

| makeresults
| eval mac="00:00:00:00:00:00"
| rex field=mac mode=sed "s/:/-/g"

If you have a field called mac can it be modified like specified in the rex before you use it?

0 Karma
Reply

bulu
New Member
‎02-10-2020 06:03 AM

As I said in the beginning, I'm just a beginner with Splunk. I search a DHCP database for the MAC address that had an IP address lease on a certain date. The DHCP database returns the MAC in the format a4:fc:77:3b:08:b7, I'm looking for a search string to search the Splunk logs on a specific date, currently I'm running the search below but I have to manually change the colons into dashes:

index=foo "a4-fc-77-3b-08-b7"

Everything I've tried so far has either failed or not returned the required information.

0 Karma
Reply

jethrop
Explorer
‎02-07-2020 11:26 AM

how about replace? https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/SearchReference/Replace

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...