- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- recalculate format of mac address dependent on inp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear community
I am struggling with how to allow different format in a search input, but still finding the corresponding events
In my events I have mac addresses of this format 84-57-33-0D-B4-A8
I have built a dynamic dashboard where the mac adresses are found if the user types in exactly this format .
However the user might search for a mac address like this
8457330DB4A8
or
84:57:33:0D:B4:A8
so in order to find results successfully, I have to recalculate the two inputs, so that are changed to the expected format.
So a test query like this recalculates the first format
|makeresults
| eval m = "aab2c34be26e"
| eval MAC2 = substr(m,1,2)."-".substr(m,3,2)."-".substr(m,5,2)."-".substr(m,7,2)."-".substr(m,9,2)."-".substr(m,11,2)
| fields MAC2
a test query like this recalculates the second format:
|makeresults
| eval m = "aa:c3:4b:e2:6e"
| eval MAC2 = replace (m,":","-")
| fields MAC2
But I am failing to combine it to a joint query dependent on the input
if my $mac$ address can be all three formats, then I have to choose the recalculation dependent on the input.
My idea would be to write a condition with a regex match of $mac$ with
([0-9A-Fa-f]{2}[-]){5} then no recalculation
([0-9A-Fa-f]{2}[:]){5} then replace like shown above
([0-9A-Fa-f]{2}){5} then substitute like shown above
I tried several ways of CASE and IF, but never got it to work... any help highly appreciated!
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<m>[0-9A-Fa-f\*]{1,2})"
| eval formatted_mac=replace(if(len(mac)>2, mvjoin(m,"-"), mac),"\*",".*")
| where match(EndPointMACAddress,formatted_mac)
| table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<m>[0-9A-Fa-f\*]{1,2})"
| eval formatted_mac=replace(if(len(mac)>2, mvjoin(m,"-"), mac),"\*",".*")
| where match(EndPointMACAddress,formatted_mac)
| table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks! Worked excellent. Still trying to understand the if statement, but I will get there 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pick out pairs of characters, then recombine them
| makeresults
| eval mac1="84-57-33-0D-B4-A8"
| eval mac2="8457330DB4A8"
| eval mac3="84:57:33:0D:B4:A8"
| rex field=mac1 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| rex field=mac2 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr2=mvjoin(mac,"-")
| rex field=mac3 max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr3=mvjoin(mac,"-")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
thanks, that really helped me a lot. I have one last problem though, if the user in my dynamic dashboard does not type in a mac adress, but uses * in order to see all adressed, the search does not work correctly any longer.
This is my search with the varable
MYsearchstring
| eval mac="$mac$"
| rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})" | eval addr1=mvjoin(mac,"-") | where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action
this is the example where the user would use the format C4:E9:0A:B7:F5:76 for the variable
MYsearchstring
| eval mac="C4:E9:0A:B7:F5:76" | rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action
that works fine.
But if the variable is * it does not work. I would like to be able to display all found mac adresses in the table...
MYsearchstring
| eval mac="*" | rex field=mac max_match=0 "(?<mac>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac,"-")
| where EndPointMACAddress=addr1 | table NetworkDeviceName NAS_Port_Id EndPointMACAddress vendor_action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex field=mac1 max_match=0 "(?<mac1>[0-9A-Fa-f]{2})"
| eval addr1=mvjoin(mac1,"-")
| eval addr1=replace(addr1,"\*",".*")
| where match(EndPointMACAddress,addr1)
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
