Hi guys, I'm trying to accomplish the same thing and something is not working, I only get the first MAC address to show up once I create the table, it formats it correctly but it's not what I want.
sourcetype="corp16arp:mib" | rex "ipNetToMediaPhysAddress.\"\d+\".\"(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\"\s+=\s+\"0x(?\w+)" max_match=0 | eval m = tostring(MAC)
| eval MAC = substr(m,0,2).":".substr(m,3,2).":".substr(m,5,2).":".substr(m,7,2).":".substr(m,9,2).":".substr(m,11,2) | table IP MAC
The following regex takes raw SNMP data and creates two fields, IP and MAC: I omitted the full IP and MAC's for security reasons.
RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."14"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000" RFC1213-MIB::ipNetToMediaPhysAddress."51"."53.x.x.x" = "0x000000000000
Any advice on this would help.
... View more