https://community.splunk.com/t5/Monitoring-Splunk/Address-MAC-flapping-noise-with-Splunk/m-p/384696#M5973 <P>Sounds like you need to fix your network.</P> <P>Of course, this report you want may go a long way toward convincing people it's broken. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Because you were asking "generally", I'll give a couple of basic, general answers that hopefully will lead you to what you need. Assume all these are appended to the end of a base search (like <CODE>index=network sourcetype=blah ...</CODE>)</P> <PRE><CODE>... | stats dc(mac_address) AS distinct_MACs BY ip_address </CODE></PRE> <P>or </P> <PRE><CODE>... | stats dc(ip_address) AS distinct_IPs BY mac_address </CODE></PRE> <P>That's where I'd start. You might want to use some variant of <CODE>sort</CODE> or <CODE>top</CODE> at the end of that, or something else, but it should get you at least the first step.</P> <P>Happy Splunking,<BR /> Rich </P> Thu, 11 Jul 2019 16:27:35 GMT Richfez 2019-07-11T16:27:35Z https://community.splunk.com/t5/Monitoring-Splunk/Address-MAC-flapping-noise-with-Splunk/m-p/384695#M5972 <P>Hi All,</P> <P>Just a general question about best practices/network monitoring. What are some ways to address MAC flapping with Splunk? what are some of the queries people are running to identify and pull reports of multiple interfaces receiving packets from the same source?</P> Thu, 11 Jul 2019 14:27:46 GMT https://community.splunk.com/t5/Monitoring-Splunk/Address-MAC-flapping-noise-with-Splunk/m-p/384695#M5972 JPrictoe 2019-07-11T14:27:46Z https://community.splunk.com/t5/Monitoring-Splunk/Address-MAC-flapping-noise-with-Splunk/m-p/384696#M5973 <P>Sounds like you need to fix your network.</P> <P>Of course, this report you want may go a long way toward convincing people it's broken. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Because you were asking "generally", I'll give a couple of basic, general answers that hopefully will lead you to what you need. Assume all these are appended to the end of a base search (like <CODE>index=network sourcetype=blah ...</CODE>)</P> <PRE><CODE>... | stats dc(mac_address) AS distinct_MACs BY ip_address </CODE></PRE> <P>or </P> <PRE><CODE>... | stats dc(ip_address) AS distinct_IPs BY mac_address </CODE></PRE> <P>That's where I'd start. You might want to use some variant of <CODE>sort</CODE> or <CODE>top</CODE> at the end of that, or something else, but it should get you at least the first step.</P> <P>Happy Splunking,<BR /> Rich </P> Thu, 11 Jul 2019 16:27:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Address-MAC-flapping-noise-with-Splunk/m-p/384696#M5973 Richfez 2019-07-11T16:27:35Z https://community.splunk.com/t5/Monitoring-Splunk/Address-MAC-flapping-noise-with-Splunk/m-p/384697#M5974 <P>I'll start there, thanks Rich!</P> Fri, 12 Jul 2019 01:04:17 GMT https://community.splunk.com/t5/Monitoring-Splunk/Address-MAC-flapping-noise-with-Splunk/m-p/384697#M5974 JPrictoe 2019-07-12T01:04:17Z