Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I search for results that share the same Mac address?

shandman
Path Finder
‎10-17-2017 01:34 PM

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:35 PM

Okay, two things - First, make sure your hosts have standardized names. Many systems have "host" sometimes in lower case, sometimes upper, and sometimes short host and sometimes FQDN. Those are all a single host, so you have to standardize the format of dest_nt_host before the stats command.

Second, upload your csv into a lookup, with the host in a field named host then run a search like this...

 index=windows sourcetype=dhcpsrvlog 
| dedup raw_mac,dest_nt_host
|  something that formats your host
| dedup raw_mac,dest_nt_host
| stats values(dest_nt_host) as host by raw_mac 
| where mvcount(host) > 1
| mvexpand host
| lookup myhosts.csv host OUTPUT host as foundme

Then this gets the ones that WERE in the lookup table... 

| where isnotnull(foundme)

...and this gets the ones that were NOT in the lookup table... 

| where isnull(foundme)

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:35 PM

Okay, two things - First, make sure your hosts have standardized names. Many systems have "host" sometimes in lower case, sometimes upper, and sometimes short host and sometimes FQDN. Those are all a single host, so you have to standardize the format of dest_nt_host before the stats command.

Second, upload your csv into a lookup, with the host in a field named host then run a search like this...

 index=windows sourcetype=dhcpsrvlog 
| dedup raw_mac,dest_nt_host
|  something that formats your host
| dedup raw_mac,dest_nt_host
| stats values(dest_nt_host) as host by raw_mac 
| where mvcount(host) > 1
| mvexpand host
| lookup myhosts.csv host OUTPUT host as foundme

Then this gets the ones that WERE in the lookup table... 

| where isnotnull(foundme)

...and this gets the ones that were NOT in the lookup table... 

| where isnull(foundme)
Reply
Solved! Jump to solution

shandman
Path Finder
‎10-19-2017 10:32 AM

Thank you. This is great!

Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-19-2017 11:03 AM

@shandman - Glad we were able to help! If that solved your issue, please "accept" the answer so that folks will know the question is closed.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-17-2017 09:57 PM

Hi @shandman,

This query might help you

index=windows sourcetype=dhcpsrvlog | dedup raw_mac,dest_nt_host| stats count(dest_nt_host) AS hostcount, values(dest_nt_host) by raw_mac | where hostcount > 1

Thanks,
Harshil

Reply
Solved! Jump to solution

shandman
Path Finder
‎10-18-2017 11:14 AM

The query works. For some reason I'm getting over 1000 results. Multiple hosts with the same mac. Weird. Thank you for the response though. I'll keep tinkering.

0 Karma
Reply
Solved! Jump to solution

shandman
Path Finder
‎10-18-2017 11:26 AM

I also just created a .csv lookup file that is pulling cmdb data with mac addresses to workstation. How can i append this search (above) to include the lookup .csv and verify that hosts match?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...