Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding new IP addresses that haven't been seen before.

help_me_pls
New Member
‎09-30-2020 10:18 AM

Hey,
I have a splunk instance digesting nmap results. Each host that is found on the network generates an event that has information like IP and MAC addresses.

How can I formulate a search that would show me MAC addresses that were discovered for the first time in the last day or so?

I tried doing something like this:

 

NOT ([search earliest=-30d latest=-1d | table mac]) | table mac ip_address hostname

 

But that didn't actually remove any hosts that had been seen before.

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2020 10:48 AM

Have you tried a more explicit search?

index=nmap_index earliest=-1d NOT ([search index=nmap_index earliest=-30d latest=-1d | fields mac | format]) 
| table mac ip_address hostname
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...