Solved: How can I create a search on count of unique entri...

sanorthrup · ‎02-26-2018

At first glance I thought I could easily create this query, but I have been humbled. My logs have got tons of MAC addresses and some of those MAC addresses have multiple IPs bound to a physical MAC. I'm looking to get a list, sorted by unique count, for all of the MACs which have more than one IP on the interface.

Sample logs:
mac_add=aa-bb-cc-aa-bb-cc, IP_add=10.10.10.10
mac_add=aa-bb-cc-aa-bb-cc, IP_add=10.10.10.10
mac_add=aa-bb-cc-aa-bb-cc, IP_add=192.168.1.10
mac_add=00-00-00-00-00-00, IP_add=172.16.1.1
mac_add=aa-bb-cc-aa-bb-cc, IP_add=10.20.20.20
mac_add=00-00-00-00-00-00, IP_add=192.168.1.1

I'd love the output to look something like this:
aa-bb-cc-aa-bb-cc 3
00-00-00-00-00-00 2

somesoni2 · ‎02-26-2018

Try like this

your base search giving field mac_add and IP_add
| stats dc(IP_add) as uniqIPs by mac_add

View solution in original post

somesoni2 · ‎02-26-2018

Try like this

your base search giving field mac_add and IP_add
| stats dc(IP_add) as uniqIPs by mac_add

How can I create a search on count of unique entries for a given field, by a given field in MAC?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How can I create a search on count of unique entries for a given field, by a given field in MAC?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases