Splunk Search

Report of distinct count of MAC addresses per session

lunatik280
New Member

Greetings Community,

I'm trying to figure out how to create a daily and weekly report that captures each unique patron's wireless session from our Cisco Aironet WAP based on each distinct MAC address counted. Is it possible to calculate session times per each unique association/disassociation?

The following log events occur for each device that associates and disassociates with the WAP:

Jan 26 10:36:22 10.10.30.5 15016: *Jun 25 14:38:31: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 34aa.3c7b.4cd1 Associated KEY_MGMT[NONE]

Jan 26 10:36:22 10.10.30.5 15017: *Jun 25 15:23:14: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 34aa.3c7b.4cd1 Reason: Sending station has left the BSS

Any support/guidance would be very appreciated!

Tags (2)
0 Karma

lguinn2
Legend

This may work. Try it, but be aware that the transaction command can use a lot of memory and be impractical for very large data sets.

yoursearchhere
| transaction ip mac startswith="DOT11-6-ASSOC:" endswith="DOT11-6-DISASSOC"
| stats count as NumberOfSessions dc(mac) as NumofPatrons avg(duration) as AvgSessionTime
| fieldformat AvgSessionTime=tostring(AvgSessionTime,"duration")

or, if you don't want the summary statistics

yoursearchhere
| transaction ip mac startswith="DOT11-6-ASSOC:" endswith="DOT11-6-DISASSOC"
| eval SessionTime = tostring(duration,"duration")
| eval StartTime=strftime(_time,"%x %X")
| table mac StartTime SessionTime 

These searches assume that you have extracted the ip and mac fields. If you have not, do this

yoursearchhere
| rex "\d{2}:\d{2}:\d{2}\s+(?<ip>\d+\.d+\.d+\.d+)\s.*?Station\s+(?<mac>.{4}\..{4}\..{4})"
...followed by the rest of the commands ...

HTH

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...