Splunk Search

Matching both sides of two kv pairs over time

Path Finder

I have a small DTrace app that monitors ARP requests and replies, producing output like this:

 2010 Sep  1 03:10:08 [type=Reply][senderMAC=0:3:ba:d1:1e:17][senderIP=][targetMAC=0:1:d7:3b:55:44][targetIP=]

I'm interested in knowing if any (senderMAC, senderIP) pair differs from previously seen instances over some period of time, in roughly the way that arpwatch would alert me of a change.

Can't quite work out a strategy for this in Splunk. Any help?

Tags (1)
0 Karma


Probably needs tweaking, but these should give you some ideas...

Simplest approach

Look over some period for any cases where one IP address has more than one MAC address:

eventtype=foo | stats dc(senderMAC) as MACCount list(senderMAC) by senderIP
    | search MACCount > 1

Track all New MACs for a given IP

Search 1 -- Tracking:

eventtype=foo | dedup senderIP, senderMAC | fields senderIP, senderMAC
    | outputlookup arplookup

Search 2 -- Alerting:

eventtype=foo | dedup senderIP, senderMAC
   | lookup arplookup senderIP OUTPUT senderMAC as oldMAC
   | search oldMAC=* NOT senderMAC=oldMAC

Track all New MAC-IP Pairs

This should have the (desirable or undesirable) side effect of also alerting on all new pairs, not just when a MAC address changes...

Search 1 -- Tracking:

eventtype=foo | dedup senderMAC, senderIP | eval knownpair =1
    | fields senderMAC,senderIP,knownpair | outputlookup macpairs

Search 2 -- Alerting:

eventtype=foo | lookup macpairs senderMAC, senderIP OUTPUT knownpair
    | search NOT knownpair=1

Path Finder

Ah, jeeze, a lookup table. I should have thought of that.

Thank you!

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...