topic One MAC multiple IP's Table View in Splunk Search

One MAC multiple IP's Table View

hartfoml — Tue, 21 Jan 2014 20:59:58 GMT

I have a search like this

index="wireless" DHCP ACK | table _time src_mac src_ip

I would like to show a table of MAC and the assoseated IP's the MAC has used and when it recieved the IP

Like this:

fc:c7:34:de:58:56 1/1/2013 123.45.6.789

                           1/2/2013       123.45.6.978

fc:25:3f:a0:6d:bb 2/1/2013 123.45.6.912

                           2/3/1023       123.45.6.864

Ayn — Tue, 21 Jan 2014 21:16:26 GMT

How about

index="wireless" DHCP ACK | stats list(_time) as time,list(src_ip) as src_ip by src_mac | convert ctime(time)

Ayn — Tue, 21 Jan 2014 21:17:18 GMT

...or if you want to use transaction for some reason,

index="wireless" DHCP ACK | transaction src_mac | table src_mac _time src_ip

hartfoml — Tue, 21 Jan 2014 21:21:58 GMT

Wow this is great stuff. Thanks Ayn

hartfoml — Tue, 21 Jan 2014 21:32:29 GMT

If I could bother you for one more thing.

If I wanted to use the transaction commend but only find the src_mac that have more than one IP how could I do that?