First, let me start by saying I am not a programmer, a Splunk expert, highly experienced with Regex or SED. I say this so you understand if you offer an answer please do not leave any steps out expecting I know what should fill in the blanks.
I get MAC addresses in the format of 00:00:00:00:00:00 but the logs I need to search are in the format of 00-00-00-00-00-00, I'm looking for a way for Search to take the input with colons and convert the colons to dashes before executing the search so we do not have to manually change before executing our search.
If i put the below strings into the search bar it returns the MAC address in the correct format, but it only searches today's logs despite what date range I've selected
| makeresults
| eval mac="a4:fc:77:3b:08:b7"
| rex field=mac mode=sed "s/:/-/g"
_time mac
2020-02-07 16:06:42 a4-fc-77-3b-08-b7
What does your search look like? The example I posted was to demonstrate using rex
to transform your mac.
If you have a search like this:
index=foo sourcetype=bar host=abc
and your mac field is available but in the wrong format, you can adjust it at this point. This is where you would transform it with | rex field=mac mode=sed "s/:/-/g"
Could you do something like this before you try to use the mac field?
| makeresults
| eval mac="00:00:00:00:00:00"
| rex field=mac mode=sed "s/:/-/g"
If you have a field called mac
can it be modified like specified in the rex
before you use it?
As I said in the beginning, I'm just a beginner with Splunk. I search a DHCP database for the MAC address that had an IP address lease on a certain date. The DHCP database returns the MAC in the format a4:fc:77:3b:08:b7, I'm looking for a search string to search the Splunk logs on a specific date, currently I'm running the search below but I have to manually change the colons into dashes:
index=foo "a4-fc-77-3b-08-b7"
Everything I've tried so far has either failed or not returned the required information.