Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

locate duplicate MAC addresses in dhcp logs

EricPartington
Communicator
‎03-03-2011 06:27 PM

Should be simple to solve, but i'm drawing a blank.

i have three fields i wnat to look at in dhcp logs mac hostname datetime

i'd like to show the mac address and the hostnames that the dhcp logs contain relating to it. There should be only one mac per hostname but where there isnt i'd like to have alist of all the hostnames that have the duplicate.

how best to search for that?

sourcetype=dhcpd eventtype=dhcpack | top mac

should give me a count of all macs that show up in the logs i'd like to see the hostnames that refer to that mac (should be 1 to 1 relationship).

thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 11:02 PM

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname | search macCount>1

It says for each hostname, give me the number of distinct values of mac and call it 'macCount', and give me the distinct values of mac and call it 'mac'. Coming out of the stats clause the 'mac' field will now be a multivalue field.

If you want to expand the list of offenders back out into a result set that has one row per mac-address, I think this will do it: 

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname 
| search macCount>1 | stats count by hostname mac

View solution in original post

Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎03-03-2011 11:05 PM

Assuming you have mac and hostname extracted, I would do the following search:

sourcetype=dhcpd eventtype=dhcpack 
        | table mac hostname
        | dedup mac, hostname
        | mvcombine hostname
        | eventstats distinct_count(hostname) as HostCount by mac 
        | where HostCount > 1

Edit: Beaten to the punch with a better search by Nick. Ain't that always the way.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 11:02 PM

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname | search macCount>1

It says for each hostname, give me the number of distinct values of mac and call it 'macCount', and give me the distinct values of mac and call it 'mac'. Coming out of the stats clause the 'mac' field will now be a multivalue field.

If you want to expand the list of offenders back out into a result set that has one row per mac-address, I think this will do it: 

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname 
| search macCount>1 | stats count by hostname mac
Reply
Solved! Jump to solution

EricPartington
Communicator
‎03-05-2011 03:43 AM

Thanks for the solutions everyone, nice to know there are many ways to solve the problem.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...