Hello. This search returns zero results, but a manual "OR" search shows results. I cannot find the reason (neither can ChatGPT). The end result would be a query where I can input any format of MAC address in one section, but automatically search for all formats shown.  Any guidance would be appreciated. BTW, this is a local Splunk installation.  (Please ignore the "xxxx".) | makeresults | eval input_mac="48a4.93b9.xxxx" | eval mac_clean=lower(replace(input_mac, "[^0-9A-Fa-f]", "")) | eval mac_colon=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1:\2:\3:\4:\5:\6") | eval mac_hyphen=replace(mac_clean, "(..)(..)(..)(..)(..)(..)", "\1-\2-\3-\4-\5-\6") | eval mac_dot=replace(mac_clean, "(....)(....)(....)", "\1.\2.\3") | fields mac_clean mac_colon mac_hyphen mac_dot | eval search_string="\"" . mac_clean . "\" OR \"" . mac_colon . "\" OR \"" . mac_hyphen . "\" OR \"" . mac_dot . "\"" | table search_string | map search="search index=main sourcetype=syslog ($search_string$) | table _time host _raw" ... View more

Hello. I cannot find an answer to this simple question, although I have found other information utilizing props.conf and transforms in more complicated situations. I currently have a single Splunk instance as an all-in-one solution, and I am looking for a simple method to truncate ISE logs to 2000 characters to lower Splunk database size. ISE itself is not capable of this. I am very familiar with Splunk via GUI, but not at all with modifying the configuration files, so step by step instructions would be very helpful. Thanks in advance. ... View more