Splunk Search

How to extract MAC addresses from a log that has all values delimited by a comma, but the order of fields can change?

aer9480
Explorer

Hi,

I am trying to extract MAC addresses from a log that has all the values separated by a comma. I would use the delimiter for creating the field, but the order of the fields change from time to time, and the values might be switched around. Is there any way to use REGEX to extract the MAC address? I tried several things on the REGEX extraction page, but had no luck. It works, but it doesn't recognize all the MACS, only some. Any ideas on how I can fix this? Thanks!

0 Karma
1 Solution

michael_sleep
Communicator

Without seeing an example of the MAC address format you're trying to parse we'll just be guessing but this might work for the common MAC formats. Set up a field extraction on that sourcetype and use this as the regex:

(?P<device_mac>[a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2})

View solution in original post

michael_sleep
Communicator

Without seeing an example of the MAC address format you're trying to parse we'll just be guessing but this might work for the common MAC formats. Set up a field extraction on that sourcetype and use this as the regex:

(?P<device_mac>[a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2}[\:\-][a-fA-F0-9]{2})

aer9480
Explorer

Thanks for the reply. I thought I had added the format in my other comment, but I guess I didn't. The format it aa-bb-cc-dd-ee-ff. This regex extracts the first instance of a MAC, but it ignores the second instance, and the second MAC is what I need to extract. Do you know of any way I can extract the second field that matches the pattern? Thanks!

0 Karma

michael_sleep
Communicator

You didn't say anything about there being more than one MAC address in your events in any of your posts, so the regex didn't account for that. You also said that the order they appear in changes, so how do you know it will always be the second MAC address in the event?

This will extract both into separate fields:

(?P<device_mac>([\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2})).*(?P<device_mac2>([\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}\-[\w\d]{2}))

aer9480
Explorer

It's kind of tricky. It will always be the second MAC in the log, but there may be 1 item in between the two MACs or there may be 3 items in between. It just depends on the log. But that works beautifully. Sorry I wasn't more clear about it in my original post. Thank you very much!

0 Karma

michael_sleep
Communicator

That's great. If you are satisfied with the answer, can you mark my response as such? Few people following this question.

0 Karma

ppablo
Retired

Converted your comment to an official answer and accepted it 🙂

Cheers

0 Karma

Raghav2384
Motivator

Can you post the format of the mac address itself? is it like ab:cd:ef:gh:ij:kl OR abcd:efgh:ijkl OR ab-cd-ef-gh-ij-kl? etc....Based on the format (doesn't matter where it is) that would be helpful.

This is what i use.

| rex "(?[a-fA-F0-9\.:-]{12,17})" | rex field=mac mode=sed "s/(\.|:|-)//g" 

You can use mode=sed or use replace command as well.

Thanks,
Raghav

0 Karma

aer9480
Explorer

Sorry for the late response; I've been fiddling around with this for about a week, trying similar regex patterns and such with no luck. I still can't separate the MAC addresses into a field. I would liek it to say something like "device_mac=MACADDRESS" underneath the log itself, but when I use REGEX, sometimes it works, and other times it doesn't pick up anything. Am I out of luck?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...