Solved: How can I create a search on count of unique entri...

sanorthrup · ‎02-26-2018

At first glance I thought I could easily create this query, but I have been humbled. My logs have got tons of MAC addresses and some of those MAC addresses have multiple IPs bound to a physical MAC. I'm looking to get a list, sorted by unique count, for all of the MACs which have more than one IP on the interface.

Sample logs:
mac_add=aa-bb-cc-aa-bb-cc, IP_add=10.10.10.10
mac_add=aa-bb-cc-aa-bb-cc, IP_add=10.10.10.10
mac_add=aa-bb-cc-aa-bb-cc, IP_add=192.168.1.10
mac_add=00-00-00-00-00-00, IP_add=172.16.1.1
mac_add=aa-bb-cc-aa-bb-cc, IP_add=10.20.20.20
mac_add=00-00-00-00-00-00, IP_add=192.168.1.1

I'd love the output to look something like this:
aa-bb-cc-aa-bb-cc 3
00-00-00-00-00-00 2

somesoni2 · ‎02-26-2018

Try like this

your base search giving field mac_add and IP_add
| stats dc(IP_add) as uniqIPs by mac_add

View solution in original post

somesoni2 · ‎02-26-2018

Try like this

your base search giving field mac_add and IP_add
| stats dc(IP_add) as uniqIPs by mac_add

How can I create a search on count of unique entries for a given field, by a given field in MAC?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How can I create a search on count of unique entries for a given field, by a given field in MAC?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?