Create a list

rootadmin · ‎06-24-2013

Hi

Im very new to splunk (first day using it)

Is it possible to create a list of known mac addresses so that i can perform a search

so at the moment im searching for new wireless client associations against the router, i would like to put existing wireless clients into a list of known mac addresses to include a not statement to account for known mac addresses.

have this working currently by explicitly mentioning each mac address in the not statement

MHibbin · ‎06-24-2013

You can do this using a lookup table (CSV) stored on the host server.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

You can then use a combination of an inputlookup command and subsearch in your search to filter these out.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

So (if my memory is correct - not done this is a little while), you could do something like:

<yourBaseSearch> NOT [|inputlookup <lookupFile> | fields + mac]

Hope this helps,

MHibbin

Create a list

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Create a list

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers