Splunk Search

Matching both sides of two kv pairs over time

Path Finder

I have a small DTrace app that monitors ARP requests and replies, producing output like this:

 2010 Sep  1 03:10:08 [type=Reply][senderMAC=0:3:ba:d1:1e:17][senderIP=][targetMAC=0:1:d7:3b:55:44][targetIP=]

I'm interested in knowing if any (senderMAC, senderIP) pair differs from previously seen instances over some period of time, in roughly the way that arpwatch would alert me of a change.

Can't quite work out a strategy for this in Splunk. Any help?

Tags (1)
0 Karma


Probably needs tweaking, but these should give you some ideas...

Simplest approach

Look over some period for any cases where one IP address has more than one MAC address:

eventtype=foo | stats dc(senderMAC) as MACCount list(senderMAC) by senderIP
    | search MACCount > 1

Track all New MACs for a given IP

Search 1 -- Tracking:

eventtype=foo | dedup senderIP, senderMAC | fields senderIP, senderMAC
    | outputlookup arplookup

Search 2 -- Alerting:

eventtype=foo | dedup senderIP, senderMAC
   | lookup arplookup senderIP OUTPUT senderMAC as oldMAC
   | search oldMAC=* NOT senderMAC=oldMAC

Track all New MAC-IP Pairs

This should have the (desirable or undesirable) side effect of also alerting on all new pairs, not just when a MAC address changes...

Search 1 -- Tracking:

eventtype=foo | dedup senderMAC, senderIP | eval knownpair =1
    | fields senderMAC,senderIP,knownpair | outputlookup macpairs

Search 2 -- Alerting:

eventtype=foo | lookup macpairs senderMAC, senderIP OUTPUT knownpair
    | search NOT knownpair=1

Path Finder

Ah, jeeze, a lookup table. I should have thought of that.

Thank you!

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...