I installed this App back in February. Soon afterwards, I was seeing that some of my lookups came back blank. I thought that this app did a lookup from the IEEE server. I found out that is not how it works. The underlying Python netaddr module downloads the OUI text file from IEEE during the build process of the module, and then uses that netaddr/eui/oui.txt file for all lookups.

That means that as soon as this App is built and published to Splunkbase, the oui.txt file is already getting stale. I temporarily fixed the issue by downloading the Python netaddr module source, ungzipp'd and untar'd the source in /tmp, and did a "make downloads" in the temporary directory. This will do 2 things. It will use wget to download the oui.txt and iab.txt files from IEEE. Second it will call the ieee.py file to create an index for each of the txt files. Lastly, I copied the txt and idx files into the Splunk App directory: $SPLUNK_HOME/etc/apps/TA-macvendor/bin/netadd/eui directory.

What should happen is the author or someone (maybe me) should create a helper Python script that runs on a periodic basis that does what the makefile does. That way these files will be updated on a regular basis.