Searching on results of EVAL command

jasonheb · ‎09-22-2015

Hello
We are building a search to take a MAC address, evaluate all the potential formats that MAC address may be and take those results to search on
So we start with a MAC address like 00:01:02:03:04:05 and use eval to return all the potential formats

MAC1   0001:0203:0405
MAC2   0001.0203.0405
MAC3   00:01:02:03:04:05
MAC4   00.01.02.03.04.05
MAC5   00-01-02-03-04-05

We have that part sorted can return the MAC1 – 5 values – the search we use is

| eval MAC_to_Search="00:01:02:03:04:05" | dedup MAC_to_Search
| eval SimpleMAC=replace(MAC_to_Search,"\.","") 
| eval SimpleMAC=replace(SimpleMAC,"\:","") 
| eval SimpleMAC=replace(SimpleMAC,"\-","") 
| eval MAC1=trim(substr(SimpleMAC,1,4)+":"+substr(SimpleMAC,5,4)+":"+substr(SimpleMAC,9,4))
| eval MAC2=trim(substr(SimpleMAC,1,4)+"."+substr(SimpleMAC,5,4)+"."+substr(SimpleMAC,9,4))
| eval MAC3=trim(substr(SimpleMAC,1,2)+":"+substr(SimpleMAC,3,2)+":"+substr(SimpleMAC,5,2)+":"+substr(SimpleMAC,7,2)+":"+substr(SimpleMAC,9,2)+":"+substr(SimpleMAC,11,2))
| eval MAC4=trim(substr(SimpleMAC,1,2)+"."+substr(SimpleMAC,3,2)+"."+substr(SimpleMAC,5,2)+"."+substr(SimpleMAC,7,2)+"."+substr(SimpleMAC,9,2)+"."+substr(SimpleMAC,11,2))
| eval MAC5=trim(substr(SimpleMAC,1,2)+"-"+substr(SimpleMAC,3,2)+"-"+substr(SimpleMAC,5,2)+"-"+substr(SimpleMAC,7,2)+"-"+substr(SimpleMAC,9,2)+"-"+substr(SimpleMAC,11,2))|  table MAC1 MAC2 MAC3 MAC4 MAC5

Where I am failing is to use these returned values as the basic for a search, so I want to now search on the returned values MAC1, MAC2, MAC3, MAC4, MAC5
I tried

|  search (MAC1 OR MAC2 OR MAC3 OR MAC4 OR MAC5) [eval MAC_to_Search="0001:0203:0405"  | dedup MAC_to_Search
| eval SimpleMAC=replace(MAC_to_Search,"\.","") 
| eval SimpleMAC=replace(SimpleMAC,"\:","") 
| eval SimpleMAC=replace(SimpleMAC,"\-","") 
| eval MAC1=trim(substr(SimpleMAC,1,4)+":"+substr(SimpleMAC,5,4)+":"+substr(SimpleMAC,9,4))
| eval MAC2=trim(substr(SimpleMAC,1,4)+"."+substr(SimpleMAC,5,4)+"."+substr(SimpleMAC,9,4))
| eval MAC3=trim(substr(SimpleMAC,1,2)+":"+substr(SimpleMAC,3,2)+":"+substr(SimpleMAC,5,2)+":"+substr(SimpleMAC,7,2)+":"+substr(SimpleMAC,9,2)+":"+substr(SimpleMAC,11,2))
| eval MAC4=trim(substr(SimpleMAC,1,2)+"."+substr(SimpleMAC,3,2)+"."+substr(SimpleMAC,5,2)+"."+substr(SimpleMAC,7,2)+"."+substr(SimpleMAC,9,2)+"."+substr(SimpleMAC,11,2))
| eval MAC5=trim(substr(SimpleMAC,1,2)+"-"+substr(SimpleMAC,3,2)+"-"+substr(SimpleMAC,5,2)+"-"+substr(SimpleMAC,7,2)+"-"+substr(SimpleMAC,9,2)+"-"+substr(SimpleMAC,11,2))
| dedup eval_MAC_to_Search MAC1 MAC2 MAC3 MAC4 MAC5 | return MAC1 MAC2 MAC3 MAC4 MAC5]

But getting no returns. Obviously I am making some fundamental error and any help much appreciated

MuS · ‎09-22-2015

Hi jasonheb,

based on the provided examples:

MAC1   0001:0203:0405
MAC2   0001.0203.0405
MAC3   00:01:02:03:04:05
MAC4   00.01.02.03.04.05
MAC5   00-01-02-03-04-05

You can use regex to capture the MAC's in a new field called myMAC in this example:

| gentimes start=-1 | eval foo="MAC1   0001:0203:0405
MAC2   0001.0203.0405
MAC3   00:01:02:03:04:05
MAC4   00.01.02.03.04.05
MAC5   00-01-02-03-04-05" | rex max_match=0 field=foo "(?<myMAC>\d+[\:\.\-][^\r\n\s]+)" | table myMAC

the first line | gentimes start=-1 | eval foo=" is only used to create the field called foo which will be used by the regex

Hope this helps ...

cheers, MuS

Searching on results of EVAL command

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases