Splunk Search

How to use a list of whitelist mac addresses to find "bad" mac addresses?

k909
Engager

Hello,
for control dhcp server, need to search "bad" mac addresses, but use whitelist . And need modify search string for add new mac.
how use list of whitelist mac addresses to find these "bad" mac addresses?

index="cp"   DHCPREQUEST    | eval mac=substr(request_mac,1,8)  | search NOT mac="00:80:9f"  | search NOT mac="44:8a:5b" |  top limit=20 mac
0 Karma
1 Solution

HiroshiSatoh
Champion

I will do this.

-----whitelist.csv-----
mac
00:80:9f
44:8a:5b

index="cp"   DHCPREQUEST   NOT [|inputlookup whitelist.csv
     |fields mac|rename mac as request_mac
     |eval request_mac=request_mac+"*"]
|eval mac=substr(request_mac,1,8) 
|top limit=20 mac

View solution in original post

k909
Engager

Thank you

0 Karma

HiroshiSatoh
Champion

I will do this.

-----whitelist.csv-----
mac
00:80:9f
44:8a:5b

index="cp"   DHCPREQUEST   NOT [|inputlookup whitelist.csv
     |fields mac|rename mac as request_mac
     |eval request_mac=request_mac+"*"]
|eval mac=substr(request_mac,1,8) 
|top limit=20 mac

somesoni2
SplunkTrust
SplunkTrust

Do you have list of bad mac addresses? You could create a lookup table file with those addresses (a csv file with single column with header as 'max' and all mac address as values of those bad mac addresses). The filter could be like this

index="cp"   DHCPREQUEST    | eval mac=substr(request_mac,1,8)  | search NOT [inputlookup your_bad_mac_lookup.csv | table mac ] |  top limit=20 mac
0 Karma

k909
Engager

try to configure lookup table firstly
but result - bad, not use lookup table
where i am wrong?

Lookup table files
lookuo defintion

cat whitelist_mac.csv

whl_mac
00:80:9f
44:8a:5b
68:f7:28
78:24:af

index="cp"   DHCPREQUEST       | eval mac=substr(request_mac,1,8)  | search NOT [inputlookup whitelist_mac | table whl_mac ] |  top limit=20 mac 

mac count percent
00:80:9f 2606 44.615648
44:8a:5b 1424 24.379387
9c:1c:12 494 8.457456

0 Karma

k909
Engager

screenshot from dropl not work
http://d.pr/i/rn4B
http://d.pr/i/Oo6z

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...