Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding new IP addresses that haven't been seen before.

help_me_pls
New Member
‎09-30-2020 10:18 AM

Hey,
I have a splunk instance digesting nmap results. Each host that is found on the network generates an event that has information like IP and MAC addresses.

How can I formulate a search that would show me MAC addresses that were discovered for the first time in the last day or so?

I tried doing something like this:

 

NOT ([search earliest=-30d latest=-1d | table mac]) | table mac ip_address hostname

 

But that didn't actually remove any hosts that had been seen before.

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2020 10:48 AM

Have you tried a more explicit search?

index=nmap_index earliest=-1d NOT ([search index=nmap_index earliest=-30d latest=-1d | fields mac | format]) 
| table mac ip_address hostname
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...