I'm still pretty new so the answer is probably easy, but am stuck trying to making this search form work. The goal is to allow our users to enter a MAC address in any format such as:
0030652afccb
00:30:65:2a:fc:cb
00-30-65-2a-fc-cb
00 30 65 2a fc cb
0030.652a.fccb
and have it search across the index for anything that matches (which could be in most of the above formats), and display the log messages that match. For the sake of simplicity, we'll say the index=network (but it's really several indexes) Not all of the MAC addresses are parsed into searchable fields in all the indexes, so we are free-text searching.
My thought is the best way to accomplish this is to:
eval MAC=replace("$mac_address$","[\s.:-]","")
rex field=MAC "^(?<octet1>..)(?<octet2>..)(?<octet3>..)(?<octet4>..)(?<octet5>..)(?<octet6>..)$"
index=network "$octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$" OR "$octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$" OR "$octet1$$octet2$.$octet3$$octet4$.$octet5$$octet6$" OR "$octet1$$octet2$$octet3$$octet4$$octet5$$octet6$"
I'm stuck trying to get the 6 extracted octet values to populate the search in step 3. If this matters, I'm building it in an XML form, but only the search query isn't working..
Thanks in advance!
Run each of the tests one at a time and see which one kills it. I believe the issue may be with the last one, because I've had problems with two tokens together. The middle dollar signs together might be what is messing it up. You may have to extract the double-octets separately and use them that way.
$octet1$$octet2$
Are you sure that step #2 is producing the results you want? That seems like a question about something obvious, but your step #3 seems to be fine. That's why I ask that question.
I typo'd the original question.
What I meant to say was "I'm stuck trying to get the 6 extracted octet values to populate the search in step 4"
1, 2, 3 seem to be doing what I need them to. Sorry about that!
Hey @rpquinlan, Can you let me know approximately what time you posted when your comment disappeared? I'll investigate the platform records.
Browser cache issue I think.. it's there now.. my apologies.
So the values for the octets need to be in tokens in order to use $octet1$ (for example). Have you done that in your dashboard?
I'm quite sure I have not done that. Are you able to help with how, since the octets are created by the rex in the query? I'm stuck trying to figure that out.
@rpquinlan did you ever get this figured out?
I am also trying to do a multi-format search via dashboard and I got about as far as your last post.
Thanks.
When I added something like this to the search
| table octet1,octet2,octet3,octet4,octet5,octet6,_raw
it did populate those 6 columns with a broken out version of the MAC address I entered.. Perhaps I'm just failing in trying to create the entire search string?
My whole query is:
index=network "$octet1$:$octet2$:$octet3$:$octet4$:$octet5$:$octet6$" OR "$octet1$-$octet2$-$octet3$-$octet4$-$octet5$-$octet6$" OR "$octet1$$octet2$.$octet3$$octet4$.$octet5$$octet6$" OR "$octet1$$octet2$$octet3$$octet4$$octet5$$octet6$"
| eval MAC=replace("$mac_address$","[\s.:-]","")
| rex field=MAC "^(?<octet1>..)(?<octet2>..)(?<octet3>..)(?<octet4>..)(?<octet5>..)(?<octet6>..)$"
But when I submit this, nothing happens.. "Search is waiting for input"