- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is there a more effective way to form this sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am receiving logs that show me when a mac address appears on my network switch and when it is removed
logs i receive look like this:
Feb 13 12:04:21 switch mac_action[1105]: action=learned, mac_addr=13:26:AA:AA:D1:A4, reporting_host=switch.local, vlan_num=3
Feb 13 12:05:01 switch mac_action[1406]: action=removed, mac_addr=13:26:AA:AA:D1:A4, reporting_host=switch.local, vlan_num=3
Feb 13 12:05:21 switch mac_action[1606]: action=learned, mac_addr=FF:26:AA:BB:D1:A4, reporting_host=switch.local, vlan_num=3
I am searching to find what is currently on the switch using the following search:
host=myhost | transaction mac_addr vlan_num startswith="learned" endswith="removed" keepevicted=true | search closed_txn="0"
This search, however, limits me by omitting hosts that were learnt before the time-window of my search and just feels more costly than what I think could be done
I've been playing around with streamstats a bit as I listen to SplunkTalk #64 - might that be a viable solution to accomplish this? Anyone with any ideas on how I might make a more efficient search?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My short answer is the blog post I think about whenever I see a question regarding keeping track of states: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
I know it may not be an answer to the exact question you're asking, but hopefully it can shed some insight into other good strategies for achieving what you want 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll always have the problem with the time window, since you're not looking at a state table (i.e. currently active MACs). No matter how far back you go, you always run the risk of missing the MAC addresses that were learned outside the chosen time window.
I don't have access to those type of logs, so I this may not be wholly adequate, by you might achieve better performance with something like;
your search | eval ZZZ = case(action == learned, "1", action == removed, "-1") | stats sum(ZZZ) as XXX by mac_addr vlan_num | where XXX > 0
i.e. XXX will be a positive number if there are more "learned" than "removed"
Or you could perhaps even more simply do something like;
your search | dedup mac_addr | search action=learned | table mac_addr vlan_num
i.e. find the most recent event for each MAC, filter out all but learned
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My short answer is the blog post I think about whenever I see a question regarding keeping track of states: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
I know it may not be an answer to the exact question you're asking, but hopefully it can shed some insight into other good strategies for achieving what you want 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Thanks!
Off the bat, this seems to address my question pretty well!
I've got it up and running and I will see if I encounter any issues
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
