Replace Values in Extracted Field

ssstonebraker · July 30, 2019, 6:30pm

I am ingesting Windows DHCP logs (via NX-LOG) and Meraki DHCP logs. The Windows DHCP logs by default do not include any colons in the MAC address. The Meraki Logs have colons in the MAC address.

My goal is to have a single field called “DHCP_MACAddress” used to store the extracted MAC address from both logs (and to not have any colons).

How can i remove the colons from the extracted MAC address?

Meraki DHCP Log Line
10.10.10.1 1564510024.512576200 HIAIEFRW01 events dhcp lease of ip 10.10.10.118 from server mac AC:17:C8:F1:G4:22 for client mac DC:8B:28:53:AB:4C from router 10.10.10.1 on subnet 255.255.255.0 with dns 10.1.1.110, 10.1.1.60

Meraki Regular Expression (to match MAC Address)
for\sclient\smac\s(([0-9A-F]{2}[:-]){5}([0-9A-F]{2}))

Result
DC:8B:28:53:AB:4C

jaikumarkrishna · July 31, 2019, 4:54am

One way you can write grok/regex by spliting MAC address as below

Result1=DC
Result2=8b
Result3=28
Result4=53
Result5=AB
Resultl6=4C

Then try concat using space, you ll get expected result.
Thanks,
Jay’

jan · July 31, 2019, 8:11am

you might want to use the regex-replace function: http://docs.graylog.org/en/3.0/pages/pipelines/functions.html#regex-replace

or the join function: http://docs.graylog.org/en/3.0/pages/pipelines/functions.html#join

system · August 14, 2019, 8:23am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Update MAC address field with leading zeros Graylog Central (peer support)	7	1356	July 23, 2021
Regular exception MAC address Graylog Central (peer support)	6	2775	November 13, 2017
Regex extractor not working Graylog Central (peer support)	11	998	July 20, 2021
Extract the hostname Graylog Central (peer support)	4	2026	July 19, 2021
Extract first valid MAC address from a String with Regex Graylog Central (peer support)	9	2191	April 14, 2020

Replace Values in Extracted Field

Related topics