Finding new IP addresses that haven't been seen be...

help_me_pls · ‎09-30-2020

Hey,
I have a splunk instance digesting nmap results. Each host that is found on the network generates an event that has information like IP and MAC addresses.

How can I formulate a search that would show me MAC addresses that were discovered for the first time in the last day or so?

I tried doing something like this:

NOT ([search earliest=-30d latest=-1d | table mac]) | table mac ip_address hostname

But that didn't actually remove any hosts that had been seen before.

richgalloway · ‎09-30-2020

Have you tried a more explicit search?

index=nmap_index earliest=-1d NOT ([search index=nmap_index earliest=-30d latest=-1d | fields mac | format]) 
| table mac ip_address hostname

---
If this reply helps you, Karma would be appreciated.

Finding new IP addresses that haven't been seen before.

subsearch

table

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?