Hello,
for control dhcp server, need to search "bad" mac addresses, but use whitelist . And need modify search string for add new mac.
how use list of whitelist mac addresses to find these "bad" mac addresses?
index="cp" DHCPREQUEST | eval mac=substr(request_mac,1,8) | search NOT mac="00:80:9f" | search NOT mac="44:8a:5b" | top limit=20 mac
I will do this.
-----whitelist.csv-----
mac
00:80:9f
44:8a:5b
index="cp" DHCPREQUEST NOT [|inputlookup whitelist.csv
|fields mac|rename mac as request_mac
|eval request_mac=request_mac+"*"]
|eval mac=substr(request_mac,1,8)
|top limit=20 mac
Thank you
I will do this.
-----whitelist.csv-----
mac
00:80:9f
44:8a:5b
index="cp" DHCPREQUEST NOT [|inputlookup whitelist.csv
|fields mac|rename mac as request_mac
|eval request_mac=request_mac+"*"]
|eval mac=substr(request_mac,1,8)
|top limit=20 mac
Do you have list of bad mac addresses? You could create a lookup table file with those addresses (a csv file with single column with header as 'max' and all mac address as values of those bad mac addresses). The filter could be like this
index="cp" DHCPREQUEST | eval mac=substr(request_mac,1,8) | search NOT [inputlookup your_bad_mac_lookup.csv | table mac ] | top limit=20 mac
try to configure lookup table firstly
but result - bad, not use lookup table
where i am wrong?
cat whitelist_mac.csv
whl_mac
00:80:9f
44:8a:5b
68:f7:28
78:24:af
index="cp" DHCPREQUEST | eval mac=substr(request_mac,1,8) | search NOT [inputlookup whitelist_mac | table whl_mac ] | top limit=20 mac
mac count percent
00:80:9f 2606 44.615648
44:8a:5b 1424 24.379387
9c:1c:12 494 8.457456
screenshot from dropl not work
http://d.pr/i/rn4B
http://d.pr/i/Oo6z