×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lim23
New Member
Member since: ‎12-07-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-07-2011
View All

Re: How to Extract Mac Address Field from Cisco Ma...

by in Splunk Search
‎04-25-2012 01:30 PM
‎04-25-2012 01:30 PM
Thanks, I have included my search and rex, in case anyone out there is looking to use Splunk for real time end user tracking. ... View more

Re: How to Extract Mac Address Field from Cisco Ma...

by in Splunk Search
‎04-24-2012 02:57 PM
‎04-24-2012 02:57 PM
Thanks for your response Kristian. I used your regex to build a little table to parse out the Cisco mac notification snmp-trap. The 12 byte hex string has the following information in it. first byte = operation (01 for added and 02 for removed mac address from its arp tables) second+third byte = VLan (In HEX) fourth-ninth byte = MAC Address tenth-eleventh byte = Switch Interface (In HEX) twelfth byte = operation (never seen this byte used) Here is what I did with your help. my_search | rex "Hex-STRING:(? [\sa-fA-F0-9]{3})(? [\sa-fA-F0-9]{6})(? [\sa-fA-F0-9]{18})(? [\sa-fA-F0-9]{6})" | rex "(?i)(?P [^ ]+)\s+(?:\[[^\n\[]*){2}" | eval ACTION2=replace(ACTION1,"01","Added") | eval ACTION=replace(ACTION2,"02","Removed") | eval VLAN1=replace(VLAN_HEX,"\s","") | eval PORT1=replace(PORT_HEX,"\s","") | eval PORT=tonumber(PORT1, 16) | eval VLAN=tonumber(VLAN1, 16) | table _time, MAC_ADDRESS, ACTION, VLAN, PORT, SWITCH ... View more

How to Extract Mac Address Field from Cisco Mac Ad...

by in Splunk Search
‎04-23-2012 01:32 PM
‎04-23-2012 01:32 PM
Hello, I am trying to extract the mac address from the following snmp trap. The mac address is embedded in the Hex-STRING. I want to skip over the first two octets after 'Hex-STRING' and use the following 6 octets. The first two: 02 00, can be diffrent depending on which switch is sending the snmp trap. In this case, the MAC address that I would like to capture is: 91 08 00 11 19 D3. 2012-04-23 13:08:11 test-switch [192.18.foo.foo] (via UDP: [192.18.foo.foo]:55287) TRAP, SNMP v1, community blah SNMPv2-SMI::enterprises.9.9.215.2 Enterprise Specific Trap (1) Uptime: 384 days, 23:02:38.16 SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.0 = Hex-STRING: 02 00 91 08 00 11 19 D3 35 00 12 00 The following REX Does NOT give me what I want: (?i).*? (?P \s+\s+\d+\s+[a-f0-9]+\s+[a-f0-9]+\s+\d+\s+[a-f0-9]+)\s+\d+\s+\d+ ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM