Hello fellow Splunkers! First post here on the forums. I've been looking around and trying to do this particular task for over a week but I feel I've hit a wall. I want to be able to edit a text input from a dashboard where user will enter a MAC address with colons, but in search use that same MAC address but without colons. Reason being that the user will get the MAC addresses from sourcetype=linux_syslog where the field with the MAC address will have have the value with colons: macAddr="a1:b2:c3:d4:e5:f6" That MAC address will then be used in sourcetype=radius where the field with the MAC address does NOT have colons: radMacAddr="a1b2c3d4e5f6" . I currently use the token of $mac_address$ for the inputted text and use rex to take out the colons: | eval rex_macaddr="$mac_address$" | rex mode=sed field=rex_macaddr "s/://g" . This creates the field rex_macaddr with the inputted MAC address to appear without colons (progress for me!). This is where I hit a wall. I feel I'm going about this the wrong way entirely. When doing it the way in the paragraph above, there will be 2 fields will with same values in sourcetype=radius . 1. radMacAddr="a1b2c3d4e5f6" - the original field I need to search through. 2. rex_macaddr="a1b2c3d4e5f6" - the newly created field from the user text input. As you can see, this doesn't really help me unless I can create a new token based on the single result of rex_macaddr . If possible I wouldn't mind trying it out, but I feel I need to reach out and ask more experienced Splunkers on the best way to go about solving my problem. Thank you all greatly! ... View more