The mac address format for all of my logs is xx:xx:xx:xx:xx:xx
AUTHORIZATION-SUCCESS: user: airport; mac: e8:06:88:8a:17:97; author reason: new session; ssid: slo_airport; AP 32/1
AUTHORIZATION-SUCCESS: user: airport; mac: 00:1c:b3:be:08:2c; author reason: new session; ssid: slo_airport; AP 32/2
I'm trying to " my search string " | stats distinct_count(mac)
I would think that the mac address would be a "pre-built" field. Thanks.
You can extract the mac address using rex as such:
your search string | rex "mac: (?<mac>\S+);" | stats distinct_count(mac)
You can extract the mac address using rex as such:
your search string | rex "mac: (?<mac>\S+);" | stats distinct_count(mac)
Thank you very very very much.