I have been using RegEx a lot more recently. Mostly I have been doing Splunk searches, but I have also been writing a standard operating procedure here and there, and that tends to require defining custom fields or attributes in a way that it seems only RegEx can articulate.
As a result, I have had to create MAC and IP Address RegEx searches. I can’t tell you how frustrated I am with Cisco’s own internal inconcistencies with how they display MAC addresses. Most IOS devices use
nnnn.nnnn.nnnn, but things like ISE use
nn:nn:nn:nn:nn:nn. DOS / Windows Command prompt uses
nn-nn-nn-nn-nn-nn, just to confuse things all the more.
By comparison, IP Addresses are pretty tame. It’s just 4 numbers, ranging from 0-255 separated by three dots. If you include CIDR notation, then you need a forward slash and a number from 0-32 at the end. There are no changes in notation in either location or character. IP Addresses aren’t sometimes separated by colons or hyphens. Easy Peasy.
Domain Names on the other hand… Those are, at first blush, deceptively simple, then more complex as you try and further restrict how literal you want your RegEx to be. DNS is a series of labels separated by periods. Each label can be 63 characters long, and there can be up to 127 labels in a DNS name. However, all of this is constrained by by a total character limit of 253. To further complicate things, DNS allows hyphens, but never for the first or last character of a label.
Well, now that I have complained through my preamble, let us explore some of my solutions to these problems:
MAC Address RegEx
I have added
?:to the front of many of the groups here to make them “non-capturing”. This prevents RegEx from numbering each group that is surrounded in parenthesis. I then purposefully leave it off of the first group that defines the separator, the colon or the hyphen, so that I can use
\1later in the search. This helps ensure that if the colon was used first, RegEx continues to expect the colon as the separator, not a mix of any of either the colon, hyphen, or period.
This RegEx will match on
aabb.ccdd.eeff, regardless of case, but not a mix, like
Two invaluable RegEx sites that I use are:
If you have found these RegExs to be useful, please comment and let me know. Additionally, I would really love to hear if you have better ways of dealing with these patterns. Of course, if you have a pattern you would like to share, please do so!