Good morning Splunkers!
I need help please! I am working on a dashboard that shows a list of MAC Addresses and sometimes the list is over 100 different addresses depending on the area.
So basically, I need to take multiple rows and put them into one line. I have a table that utilizes the nomv command, but it limits the MAC Addresses to 100. I use this table to drilldown to a custom URL, which is another Splunk instance that passes the list of MAC Addresses into another search for further processing.
Below is what I have to place colons between every two characters of an unformatted MAC Address then throws it into a stats command to list and add " OR " between each one and finally, the nomv takes multivalue fields and puts it into one row. I've played around with using the head and tail command to get as much as I can, however, it is not enough and gives some duplicates if less than 200.
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")
| stats list(MAC_Address) as MAC_Address delim=" OR "
| nomv MAC_Address
I was wondering if there is another command/way that will allow me to take more than 100 and put them into one line to pass through? I am open to other methods such as scripting to accomplish this.
... View more