How to Extract Mac Address Field from Cisco Mac Ad...

lim23 · ‎04-23-2012

Hello,

I am trying to extract the mac address from the following snmp trap. The mac address is embedded in the Hex-STRING. I want to skip over the first two octets after 'Hex-STRING' and use the following 6 octets. The first two: 02 00, can be diffrent depending on which switch is sending the snmp trap.

In this case, the MAC address that I would like to capture is:
91 08 00 11 19 D3.

2012-04-23 13:08:11 test-switch [192.18.foo.foo] (via UDP: [192.18.foo.foo]:55287) TRAP, SNMP v1, community blah    SNMPv2-SMI::enterprises.9.9.215.2 Enterprise Specific Trap (1) Uptime: 384 days, 23:02:38.16    SNMPv2-SMI::enterprises.9.9.215.1.1.8.1.2.0 = Hex-STRING: 02 00 91 08 00 11 19 D3 35 00 12 00

The following REX Does NOT give me what I want:
(?i).*? (?P\s+\s+\d+\s+[a-f0-9]+\s+[a-f0-9]+\s+\d+\s+[a-f0-9]+)\s+\d+\s+\d+

lim23 · ‎04-24-2012

Thanks for your response Kristian. I used your regex to build a little table to parse out the Cisco mac notification snmp-trap.

The 12 byte hex string has the following information in it.

first byte = operation (01 for added and 02 for removed mac address from its arp tables)
second+third byte = VLan (In HEX)
fourth-ninth byte = MAC Address
tenth-eleventh byte = Switch Interface (In HEX)
twelfth byte = operation (never seen this byte used)

Here is what I did with your help.

my_search | rex "Hex-STRING:(?[\sa-fA-F0-9]{3})(?[\sa-fA-F0-9]{6})(?[\sa-fA-F0-9]{18})(?[\sa-fA-F0-9]{6})" | rex "(?i)(?P[^ ]+)\s+(?:\[[^\n\[]*){2}" | eval ACTION2=replace(ACTION1,"01","Added") | eval ACTION=replace(ACTION2,"02","Removed") | eval VLAN1=replace(VLAN_HEX,"\s","") | eval PORT1=replace(PORT_HEX,"\s","") | eval PORT=tonumber(PORT1, 16) | eval VLAN=tonumber(VLAN1, 16) | table _time, MAC_ADDRESS, ACTION, VLAN, PORT, SWITCH

kristian_kolb · ‎04-26-2012

Please mark as answered and/or upvote if your problem was solved, thanks.

/kristian

lim23 · ‎04-25-2012

Thanks, I have included my search and rex, in case anyone out there is looking to use Splunk for real time end user tracking.

kristian_kolb · ‎04-25-2012

Good that it worked for you. Perhaps you could tidy it up a little more by not including the whitespace in the fields you extract, i.e. do;
Hex-String:\s(?\d\d)\s+(?[a-fA-F0-9]{5})\s etc etc

Anyway, please mark the question as answered a/o upvote if your problem was solved. Thanks.

/kristian

kristian_kolb · ‎04-24-2012

Hi,

Your regex looks a bit complex, and also there are 2 \s+ as the first parts of the field you wish to extract. Also, there is the possibility that A-F may occur in other places than where you specified. Finally, your regex is not anchoring to any particular point in the event, so you could get strange results.

You could try it as a rex extraction:

your_search | rex "Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})"

or in props.conf

[your_sourcetype] 
EXTRACT-cisco_MAC = Hex-STRING:[\sa-fA-F0-9]{7}(?<my_MAC>[\sa-fA-F0-9]{17})

Hope this helps,

Kristian

How to Extract Mac Address Field from Cisco Mac Address Notification Traps

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!