Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a list of whitelist mac addresses to find "bad" mac addresses?

k909
Engager
‎04-19-2017 12:05 AM

Hello,
for control dhcp server, need to search "bad" mac addresses, but use whitelist . And need modify search string for add new mac.
how use list of whitelist mac addresses to find these "bad" mac addresses?

index="cp"   DHCPREQUEST    | eval mac=substr(request_mac,1,8)  | search NOT mac="00:80:9f"  | search NOT mac="44:8a:5b" |  top limit=20 mac
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎04-19-2017 10:20 PM

I will do this.

-----whitelist.csv-----
mac
00:80:9f
44:8a:5b

index="cp"   DHCPREQUEST   NOT [|inputlookup whitelist.csv
     |fields mac|rename mac as request_mac
     |eval request_mac=request_mac+"*"]
|eval mac=substr(request_mac,1,8) 
|top limit=20 mac

View solution in original post

Reply
Solved! Jump to solution

k909
Engager
‎04-20-2017 11:22 PM

Thank you

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎04-19-2017 10:20 PM

I will do this.

-----whitelist.csv-----
mac
00:80:9f
44:8a:5b

index="cp"   DHCPREQUEST   NOT [|inputlookup whitelist.csv
     |fields mac|rename mac as request_mac
     |eval request_mac=request_mac+"*"]
|eval mac=substr(request_mac,1,8) 
|top limit=20 mac
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-19-2017 10:12 PM

Do you have list of bad mac addresses? You could create a lookup table file with those addresses (a csv file with single column with header as 'max' and all mac address as values of those bad mac addresses). The filter could be like this

index="cp"   DHCPREQUEST    | eval mac=substr(request_mac,1,8)  | search NOT [inputlookup your_bad_mac_lookup.csv | table mac ] |  top limit=20 mac
0 Karma
Reply
Solved! Jump to solution

k909
Engager
‎04-20-2017 12:40 AM

try to configure lookup table firstly
but result - bad, not use lookup table
where i am wrong?

Lookup table files
lookuo defintion

cat whitelist_mac.csv

whl_mac
00:80:9f
44:8a:5b
68:f7:28
78:24:af

index="cp"   DHCPREQUEST       | eval mac=substr(request_mac,1,8)  | search NOT [inputlookup whitelist_mac | table whl_mac ] |  top limit=20 mac

mac count percent
00:80:9f 2606 44.615648
44:8a:5b 1424 24.379387
9c:1c:12 494 8.457456

0 Karma
Reply
Solved! Jump to solution

k909
Engager
‎04-20-2017 12:41 AM

screenshot from dropl not work
http://d.pr/i/rn4B
http://d.pr/i/Oo6z

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...