Splunk Search

How to extract MAC addresses from a log that has all values delimited by a comma, but the order of fields can change?

aer9480
Explorer

Hi,

I am trying to extract MAC addresses from a log that has all the values separated by a comma. I would use the delimiter for creating the field, but the order of the fields change from time to time, and the values might be switched around. Is there any way to use REGEX to extract the MAC address? I tried several things on the REGEX extraction page, but had no luck. It works, but it doesn't recognize all the MACS, only some. Any ideas on how I can fix this? Thanks!

0 Karma
1 Solution

michael_sleep
Communicator

Without seeing an example of the MAC address format you're trying to parse we'll just be guessing but this might work for the common MAC formats. Set up a field extraction on that sourcetype and use this as the regex:

(?P<device_mac>[a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2})

View solution in original post

michael_sleep
Communicator

Without seeing an example of the MAC address format you're trying to parse we'll just be guessing but this might work for the common MAC formats. Set up a field extraction on that sourcetype and use this as the regex:

(?P<device_mac>[a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2})

aer9480
Explorer

Thanks for the reply. I thought I had added the format in my other comment, but I guess I didn't. The format it aa-bb-cc-dd-ee-ff. This regex extracts the first instance of a MAC, but it ignores the second instance, and the second MAC is what I need to extract. Do you know of any way I can extract the second field that matches the pattern? Thanks!

0 Karma

michael_sleep
Communicator

You didn't say anything about there being more than one MAC address in your events in any of your posts, so the regex didn't account for that. You also said that the order they appear in changes, so how do you know it will always be the second MAC address in the event?

This will extract both into separate fields:

(?P<device_mac>([\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2})).*(?P<device_mac2>([\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}))

aer9480
Explorer

It's kind of tricky. It will always be the second MAC in the log, but there may be 1 item in between the two MACs or there may be 3 items in between. It just depends on the log. But that works beautifully. Sorry I wasn't more clear about it in my original post. Thank you very much!

0 Karma

michael_sleep
Communicator

That's great. If you are satisfied with the answer, can you mark my response as such? Few people following this question.

0 Karma

ppablo
Retired

Converted your comment to an official answer and accepted it 🙂

Cheers

0 Karma

Raghav2384
Motivator

Can you post the format of the mac address itself? is it like ab:cd:ef:gh:ij:kl OR abcd:efgh:ijkl OR ab-cd-ef-gh-ij-kl? etc....Based on the format (doesn't matter where it is) that would be helpful.

This is what i use.

| rex "(?[a-fA-F0-9\.:-]{12,17})" | rex field=mac mode=sed "s/(\.|:|-)//g" 

You can use mode=sed or use replace command as well.

Thanks,
Raghav

0 Karma

aer9480
Explorer

Sorry for the late response; I've been fiddling around with this for about a week, trying similar regex patterns and such with no luck. I still can't separate the MAC addresses into a field. I would liek it to say something like "device_mac=MACADDRESS" underneath the log itself, but when I use REGEX, sometimes it works, and other times it doesn't pick up anything. Am I out of luck?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...