Splunk Search

Matching both sides of two kv pairs over time

Path Finder

I have a small DTrace app that monitors ARP requests and replies, producing output like this:

 2010 Sep  1 03:10:08 [type=Reply][senderMAC=0:3:ba:d1:1e:17][senderIP=][targetMAC=0:1:d7:3b:55:44][targetIP=]

I'm interested in knowing if any (senderMAC, senderIP) pair differs from previously seen instances over some period of time, in roughly the way that arpwatch would alert me of a change.

Can't quite work out a strategy for this in Splunk. Any help?

Tags (1)
0 Karma


Probably needs tweaking, but these should give you some ideas...

Simplest approach

Look over some period for any cases where one IP address has more than one MAC address:

eventtype=foo | stats dc(senderMAC) as MACCount list(senderMAC) by senderIP
    | search MACCount > 1

Track all New MACs for a given IP

Search 1 -- Tracking:

eventtype=foo | dedup senderIP, senderMAC | fields senderIP, senderMAC
    | outputlookup arplookup

Search 2 -- Alerting:

eventtype=foo | dedup senderIP, senderMAC
   | lookup arplookup senderIP OUTPUT senderMAC as oldMAC
   | search oldMAC=* NOT senderMAC=oldMAC

Track all New MAC-IP Pairs

This should have the (desirable or undesirable) side effect of also alerting on all new pairs, not just when a MAC address changes...

Search 1 -- Tracking:

eventtype=foo | dedup senderMAC, senderIP | eval knownpair =1
    | fields senderMAC,senderIP,knownpair | outputlookup macpairs

Search 2 -- Alerting:

eventtype=foo | lookup macpairs senderMAC, senderIP OUTPUT knownpair
    | search NOT knownpair=1

Path Finder

Ah, jeeze, a lookup table. I should have thought of that.

Thank you!

0 Karma
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...