Splunk Search

Matching both sides of two kv pairs over time

Path Finder

I have a small DTrace app that monitors ARP requests and replies, producing output like this:

 2010 Sep  1 03:10:08 [type=Reply][senderMAC=0:3:ba:d1:1e:17][senderIP=][targetMAC=0:1:d7:3b:55:44][targetIP=]

I'm interested in knowing if any (senderMAC, senderIP) pair differs from previously seen instances over some period of time, in roughly the way that arpwatch would alert me of a change.

Can't quite work out a strategy for this in Splunk. Any help?

Tags (1)
0 Karma


Probably needs tweaking, but these should give you some ideas...

Simplest approach

Look over some period for any cases where one IP address has more than one MAC address:

eventtype=foo | stats dc(senderMAC) as MACCount list(senderMAC) by senderIP
    | search MACCount > 1

Track all New MACs for a given IP

Search 1 -- Tracking:

eventtype=foo | dedup senderIP, senderMAC | fields senderIP, senderMAC
    | outputlookup arplookup

Search 2 -- Alerting:

eventtype=foo | dedup senderIP, senderMAC
   | lookup arplookup senderIP OUTPUT senderMAC as oldMAC
   | search oldMAC=* NOT senderMAC=oldMAC

Track all New MAC-IP Pairs

This should have the (desirable or undesirable) side effect of also alerting on all new pairs, not just when a MAC address changes...

Search 1 -- Tracking:

eventtype=foo | dedup senderMAC, senderIP | eval knownpair =1
    | fields senderMAC,senderIP,knownpair | outputlookup macpairs

Search 2 -- Alerting:

eventtype=foo | lookup macpairs senderMAC, senderIP OUTPUT knownpair
    | search NOT knownpair=1

Path Finder

Ah, jeeze, a lookup table. I should have thought of that.

Thank you!

0 Karma
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...