https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293384#M4367 <P>I think I'm close. Just need a little help. here is my current search<BR /> index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2</P> <P>I'm trying to get results for any 2 systems sharing the same mac address. </P> <P>Thanks again for the help guys.</P> Tue, 29 Sep 2020 16:09:01 GMT shandman 2020-09-29T16:09:01Z https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293378#M4361 <P>I've been trying to get this to work with my data but can't seem to get it to work. <A href="https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev" target="_blank">https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev</A></P> <P>here is the query i'm running. <BR /> index=windows sourcetype=dhcpsrvlog ... | stats dc(dhcp_mac) as macCount values(dhcp_mac) as mac by dhcp_hostname | search macCount&gt;1</P> <P>I run that for the past 30 days, during which time I have spoofed mac addresses with 0 results coming up with this search. Am I missing something?</P> Tue, 29 Sep 2020 16:08:31 GMT https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293378#M4361 shandman 2020-09-29T16:08:31Z https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293379#M4362 <P>Hi @shandman,</P> <P>When you run this query <CODE>index=windows sourcetype=dhcpsrvlog ...</CODE> are you getting <CODE>dhcp_mac</CODE> and <CODE>dhcp_hostname</CODE> in interesting field on left hand side in splunk?</P> Wed, 11 Oct 2017 13:22:44 GMT https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293379#M4362 harsmarvania57 2017-10-11T13:22:44Z https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293380#M4363 <P>Same question, But make sure you are in Smart or Verbose mode when you check this. </P> Wed, 11 Oct 2017 14:53:38 GMT https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293380#M4363 blacknight659 2017-10-11T14:53:38Z https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293381#M4364 <P>Ah. I see. No the search is showing with dest_mac and dest_nt_host</P> Tue, 29 Sep 2020 16:08:52 GMT https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293381#M4364 shandman 2020-09-29T16:08:52Z https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293382#M4365 <P>Then your query should be </P> <PRE><CODE>index=windows sourcetype=dhcpsrvlog ... | stats dc(dest_mac) as macCount values(dest_mac) as mac by dest_nt_host| search macCount&gt;1 </CODE></PRE> Wed, 11 Oct 2017 16:43:30 GMT https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293382#M4365 harsmarvania57 2017-10-11T16:43:30Z https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293383#M4366 <P>Now there is a plethora of hosts showing up with slightly different mac addresses. 1340 results . Looks like maybe they have multiple network interfaces? How can I adjust the search to show when another host takes on the mac address of a host? Thus showing when a mac address has been spoofed? Thanks guys.</P> Wed, 11 Oct 2017 17:20:01 GMT https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293383#M4366 shandman 2017-10-11T17:20:01Z https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293384#M4367 <P>I think I'm close. Just need a little help. here is my current search<BR /> index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2</P> <P>I'm trying to get results for any 2 systems sharing the same mac address. </P> <P>Thanks again for the help guys.</P> Tue, 29 Sep 2020 16:09:01 GMT https://community.splunk.com/t5/Installation/Mac-address-spoof-search/m-p/293384#M4367 shandman 2020-09-29T16:09:01Z