Happy New Year to all of you.

So I have syslog in which we have details of the devices and switches. 

The requirement is to find the old and new ip address for the NetworkName which were recently added to a group. 

To get this i have to follow below steps.

1. get the NetworkName which has been recently added to group.

2. than get the latest CallingStation for the NetworkName .

# search for step 1 & 2
index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName =USAZSLKRR01FIF0001
|stats latest(CallingStation ) as CallingStation by NetworkName

3. search in the index with the CallingStation  to get IPAddress(it has to ran for last 24 hours)

index=na3rc Calling_Station_ID=B0-22-7A-32-32-26
| bin span=1d _time
| stats latest(IPAddress) as IPAddress by _time CallingStation
| eval IP=if(_time<relative_time(now(),"@d"),"Old","New")

The problem here is that IPAddress field has both old and new IPAddress.

I tried join but it is showing no results as it is being maxout and when i try to use it in same search it is only showing new IPAddress.

Thank in Advance 🙂

index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName=USAZSLKRR01FIF0001
| stats latest(CallingStation) as CallingStation  by NetworkName
| join CallingStation type=left [| search index=xyz
| bin span=1d _time 
| stats latest(IPAddress) as IPAddress by  _time CallingStation 
| eval IP=if(_time<relative_time(now(),"@d"),"Old","New")]