Hi Guys I'm fairly new to Splunk and SPL can someone help me break the below data into readable fields?
RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000
I'm able to extract the arp tables from my core routers and I want to create two tables, one will be IP and the other will be MAC
I want the IP table to include the 53*'s and the MAC filed to have the MAC's that start with 0x... I would like to omit 0x if possible.
Hi,
Can you please try below regex , this will generate IP
and MAC
fields.
<yourBaseSearch> | rex "ipNetToMediaPhysAddress\.\"\d+\"\.\"(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"\s+\=\s+\"0x(?<MAC>\w+)" max_match=0
Hi,
Can you please try below regex , this will generate IP
and MAC
fields.
<yourBaseSearch> | rex "ipNetToMediaPhysAddress\.\"\d+\"\.\"(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"\s+\=\s+\"0x(?<MAC>\w+)" max_match=0
Thank you, works exactly as I wanted it!
One more question. The MAC address filed comes through nicely, however the mac address comes in this format "34dbfd8de246 " is there a way to add semi colons to make it have semi colons like this "34:db:fd:8d:e2:46" within the same regex string without having to use the eval?