Splunk Search

recalculate format of mac address dependent on input

Ida_2017
Explorer

Dear community

I am struggling with how to allow different format in a search input, but still finding the corresponding events

In my events I have mac addresses of this format 84-57-33-0D-B4-A8

I have built a dynamic dashboard where the mac adresses are found if the user types in exactly this format .

However the user might search for a mac address like this 

8457330DB4A8 

or

84:57:33:0D:B4:A8

so in order to find results successfully, I have to recalculate the two inputs, so that are changed to the expected format.

So a test query like this recalculates the first format

|makeresults

| eval m = "aab2c34be26e"

| eval MAC2 = substr(m,1,2)."-".substr(m,3,2)."-".substr(m,5,2)."-".substr(m,7,2)."-".substr(m,9,2)."-".substr(m,11,2)

| fields MAC2

 

a test query like this recalculates the second format:

|makeresults

| eval m = "aa:c3:4b:e2:6e"

| eval MAC2 = replace (m,":","-")

| fields MAC2

 

But I am failing to combine it to a joint query dependent on the input

if my $mac$ address can be all three formats, then I have to choose the recalculation dependent on the input.

 

My idea would be to write a condition  with a regex match of $mac$ with

 

([0-9A-Fa-f]{2}[-]){5}  then no  recalculation

([0-9A-Fa-f]{2}[:]){5} then  replace like shown above

([0-9A-Fa-f]{2}){5} then  substitute like shown above

 

I tried several ways of CASE and IF, but never got it to work... any help highly appreciated!

Thanks

 

 

Labels (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<m>[0-9A-Fa-f\*]{1,2})" 
| eval formatted_mac=replace(if(len(mac)>2, mvjoin(m,"-"), mac),"\*",".*") 
| where match(EndPointMACAddress,formatted_mac)
| table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<m>[0-9A-Fa-f\*]{1,2})" 
| eval formatted_mac=replace(if(len(mac)>2, mvjoin(m,"-"), mac),"\*",".*") 
| where match(EndPointMACAddress,formatted_mac)
| table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action
0 Karma

Ida_2017
Explorer

thanks! Worked excellent. Still  trying to understand the if statement, but I will get there 🙂

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Pick out pairs of characters, then recombine them

| makeresults
| eval mac1="84-57-33-0D-B4-A8"
| eval mac2="8457330DB4A8"
| eval mac3="84:57:33:0D:B4:A8"
| rex field=mac1 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| rex field=mac2 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr2=mvjoin(mac,"-")
| rex field=mac3 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr3=mvjoin(mac,"-")
0 Karma

Ida_2017
Explorer

Hello

 

thanks, that really helped me a lot. I have one last problem though, if the user in my dynamic dashboard does not type in a mac adress, but uses * in order to see all adressed, the search does not work correctly any longer.

This is my search with the varable

MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})" | eval addr1=mvjoin(mac,"-") | where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

this is the example where the user would use the format C4:E9:0A:B7:F5:76 for the variable

MYsearchstring
| eval mac="C4:E9:0A:B7:F5:76" | rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

that works fine.

 

But if the variable is * it does not work. I would like to be able to display all found mac adresses in the table...


MYsearchstring
| eval mac="*" | rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=mac1 max_match=0 "(?<mac1>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac1,"-")
| eval addr1=replace(addr1,"\*",".*")
| where match(EndPointMACAddress,addr1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...