cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
hrengifo
Level 7

How do you filter on a partial MAC

I'm trying to filter a view using "contains(00:03:93,00:05:02,00:0A:27)" three comma separated partial OUIs on the filter field "Source MAC" but I get the error Invalid Mac Address (ER1024). I'm trying to search for Apple OS OUI's to see how many Apple users we have. I tried using regex as well but that does not work either. Is there a better way to do this?

0 Kudos
2 Replies
proxima
Level 10

Re: How do you filter on a partial MAC

Hi,

Due to the source mac address is not a string field you cannot achieve that what you want, just using contains or regex  function.

Im afraid that you have to export all MAC adresses from your ESM, filter these data and than you can use a static watchlist for ESM filter purposes.

To automate that you can also use an "execute remote command" - but only for new events.

Regards

MK

0 Kudos
acommons
Level 10

Re: How do you filter on a partial MAC

You could consider adapting the parser to extract the MAC as it is and the OUI as text field.