https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338394#M100366 <P>screenshot from dropl not work<BR /> <A href="http://d.pr/i/rn4B">http://d.pr/i/rn4B</A><BR /> <A href="http://d.pr/i/Oo6z">http://d.pr/i/Oo6z</A></P> Thu, 20 Apr 2017 07:41:48 GMT k909 2017-04-20T07:41:48Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338390#M100362 <P>Hello,<BR /> for control dhcp server, need to search "bad" mac addresses, but use whitelist . And need modify search string for add new mac.<BR /> how use list of whitelist mac addresses to find these "bad" mac addresses?</P> <PRE><CODE>index="cp" DHCPREQUEST | eval mac=substr(request_mac,1,8) | search NOT mac="00:80:9f" | search NOT mac="44:8a:5b" | top limit=20 mac </CODE></PRE> Wed, 19 Apr 2017 07:05:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338390#M100362 k909 2017-04-19T07:05:10Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338391#M100363 <P>Do you have list of bad mac addresses? You could create a lookup table file with those addresses (a csv file with single column with header as 'max' and all mac address as values of those bad mac addresses). The filter could be like this</P> <PRE><CODE>index="cp" DHCPREQUEST | eval mac=substr(request_mac,1,8) | search NOT [inputlookup your_bad_mac_lookup.csv | table mac ] | top limit=20 mac </CODE></PRE> Thu, 20 Apr 2017 05:12:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338391#M100363 somesoni2 2017-04-20T05:12:33Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338392#M100364 <P>I will do this.</P> <P>-----whitelist.csv-----<BR /> mac<BR /> 00:80:9f<BR /> 44:8a:5b</P> <PRE><CODE>index="cp" DHCPREQUEST NOT [|inputlookup whitelist.csv |fields mac|rename mac as request_mac |eval request_mac=request_mac+"*"] |eval mac=substr(request_mac,1,8) |top limit=20 mac </CODE></PRE> Thu, 20 Apr 2017 05:20:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338392#M100364 HiroshiSatoh 2017-04-20T05:20:26Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338393#M100365 <P>try to configure lookup table firstly<BR /> but result - bad, not use lookup table<BR /> where i am wrong?</P> <P><IMG src="http://d.pr/i/Oo6z" alt="Lookup table files" /><BR /> <IMG src="http://d.pr/i/rn4B" alt="lookuo defintion" /></P> <P>cat whitelist_mac.csv</P> <PRE><CODE>whl_mac 00:80:9f 44:8a:5b 68:f7:28 78:24:af index="cp" DHCPREQUEST | eval mac=substr(request_mac,1,8) | search NOT [inputlookup whitelist_mac | table whl_mac ] | top limit=20 mac </CODE></PRE> <P>mac count percent<BR /> 00:80:9f 2606 44.615648<BR /> 44:8a:5b 1424 24.379387<BR /> 9c:1c:12 494 8.457456</P> Thu, 20 Apr 2017 07:40:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338393#M100365 k909 2017-04-20T07:40:33Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338394#M100366 <P>screenshot from dropl not work<BR /> <A href="http://d.pr/i/rn4B">http://d.pr/i/rn4B</A><BR /> <A href="http://d.pr/i/Oo6z">http://d.pr/i/Oo6z</A></P> Thu, 20 Apr 2017 07:41:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338394#M100366 k909 2017-04-20T07:41:48Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338395#M100367 <P>Thank you</P> Fri, 21 Apr 2017 06:22:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-list-of-whitelist-mac-addresses-to-find-quot-bad/m-p/338395#M100367 k909 2017-04-21T06:22:44Z