Hello,
I am trying to extract the mac address from the following snmp trap. The mac address is embedded in the Hex-STRING. I want to skip over the first two octets after 'Hex-STRING' and use the following 6 octets. The first two: 02 00, can be diffrent depending on which switch is sending the snmp trap.
In this case, the MAC address that I would like to capture is:
91 08 00 11 19 D3.
2012-04-23 13:08:11 test-switch [192.18.foo.foo] (via UDP: [192.18.foo.foo]:55287) TRAP, SNMP v1, community blah SNMPv2-SMI::enterprises.9.9.215.2 Enterprise Specific Trap (1) Uptime: 384 days, 23:02:38.16 SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.0 = Hex-STRING: 02 00 91 08 00 11 19 D3 35 00 12 00
The following REX Does NOT give me what I want:
(?i).*? (?P
Thanks for your response Kristian. I used your regex to build a little table to parse out the Cisco mac notification snmp-trap.
The 12 byte hex string has the following information in it.
first byte = operation (01 for added and 02 for removed mac address from its arp tables)
second+third byte = VLan (In HEX)
fourth-ninth byte = MAC Address
tenth-eleventh byte = Switch Interface (In HEX)
twelfth byte = operation (never seen this byte used)
Here is what I did with your help.
my_search | rex "Hex-STRING:(?
Please mark as answered and/or upvote if your problem was solved, thanks.
/kristian
Thanks, I have included my search and rex, in case anyone out there is looking to use Splunk for real time end user tracking.
Good that it worked for you. Perhaps you could tidy it up a little more by not including the whitespace in the fields you extract, i.e. do;
Hex-String:\s(?
Anyway, please mark the question as answered a/o upvote if your problem was solved. Thanks.
/kristian
Hi,
Your regex looks a bit complex, and also there are 2 \s+
as the first parts of the field you wish to extract. Also, there is the possibility that A-F may occur in other places than where you specified. Finally, your regex is not anchoring to any particular point in the event, so you could get strange results.
You could try it as a rex
extraction:
your_search | rex "Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})"
or in props.conf
[your_sourcetype]
EXTRACT-cisco_MAC = Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})
Hope this helps,
Kristian