Hi All,
Just a general question about best practices/network monitoring. What are some ways to address MAC flapping with Splunk? what are some of the queries people are running to identify and pull reports of multiple interfaces receiving packets from the same source?
Sounds like you need to fix your network.
Of course, this report you want may go a long way toward convincing people it's broken. 🙂
Because you were asking "generally", I'll give a couple of basic, general answers that hopefully will lead you to what you need. Assume all these are appended to the end of a base search (like index=network sourcetype=blah ...
)
... | stats dc(mac_address) AS distinct_MACs BY ip_address
or
... | stats dc(ip_address) AS distinct_IPs BY mac_address
That's where I'd start. You might want to use some variant of sort
or top
at the end of that, or something else, but it should get you at least the first step.
Happy Splunking,
Rich
Sounds like you need to fix your network.
Of course, this report you want may go a long way toward convincing people it's broken. 🙂
Because you were asking "generally", I'll give a couple of basic, general answers that hopefully will lead you to what you need. Assume all these are appended to the end of a base search (like index=network sourcetype=blah ...
)
... | stats dc(mac_address) AS distinct_MACs BY ip_address
or
... | stats dc(ip_address) AS distinct_IPs BY mac_address
That's where I'd start. You might want to use some variant of sort
or top
at the end of that, or something else, but it should get you at least the first step.
Happy Splunking,
Rich
I'll start there, thanks Rich!