Good morning Splunkers!
I need help please! I am working on a dashboard that shows a list of MAC Addresses and sometimes the list is over 100 different addresses depending on the area.
So basically, I need to take multiple rows and put them into one line. I have a table that utilizes the **nomv** command, but it limits the MAC Addresses to 100. I use this table to drilldown to a custom URL, which is another Splunk instance that passes the list of MAC Addresses into another search for further processing.
Below is what I have to place colons between every two characters of an unformatted MAC Address then throws it into a stats command to list and add " OR " between each one and finally, the **nomv** takes multivalue fields and puts it into one row. I've played around with using the head and tail command to get as much as I can, however, it is not enough and gives some duplicates if less than 200.
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6")
| stats list(MAC_Address) as MAC_Address delim=" OR "
| nomv MAC_Address
I was wondering if there is another command/way that will allow me to take more than 100 and put them into one line to pass through? I am open to other methods such as scripting to accomplish this.
↧