Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

subsearch in a stats command?

ilhwan
Path Finder
‎02-17-2026 09:36 AM

I'm using this command to search dhcp logs and find devices that are new in the last 30 days other than a list of expected hostnames:

index=dhcp dhcp_type IN (DHCPACK DHCPOFFER) NOT (dest_hostname IN (PC* LP* GIS* MU* iPhone* iPad*))
| stats earliest(_time) AS FirstTime by dest_mac 
| where FirstTime > relative_time(now(), "-30d@d")
| convert ctime(FirstTime)
| `LOOKUP_OUI(dest_mac)`

I would like to display the latest dest_hostname and its IP address (dest_ip) by searching again just to populate those fields.  I don't want to add them to the stats statement because I don't want to differentiate when IP address or hostname change.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2026 10:24 AM

Try something like this

| stats latest(FirstTime) AS FirstTime latest(dest_hostname) as dest_hostname latest(dest_ip) as dest_ip by dest_mac

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2026 10:02 AM

Try something like this

index=dhcp dhcp_type IN (DHCPACK DHCPOFFER) NOT (dest_hostname IN (PC* LP* GIS* MU* iPhone* iPad*))
| stats earliest(_time) AS FirstTime by dest_mac dest_hostname dest_ip
| where FirstTime > relative_time(now(), "-30d@d")
| stats earliest(_time) AS FirstTime earliest(dest_hostname) as dest_hostname earliest(dest_ip) as dest_ip by dest_mac
| convert ctime(FirstTime)
| `LOOKUP_OUI(dest_mac)`
0 Karma
Reply
Solved! Jump to solution

ilhwan
Path Finder
‎02-17-2026 10:21 AM

It's close.  Changing earliest(dest_hostname) and earliest(dest_ip) to latest(dest_hostname) and latest(dest_ip) gave me what I wanted in those fields, but now FirstTime is blank.

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2026 10:24 AM

Try something like this

| stats latest(FirstTime) AS FirstTime latest(dest_hostname) as dest_hostname latest(dest_ip) as dest_ip by dest_mac
0 Karma
Reply
Solved! Jump to solution

ilhwan
Path Finder
‎02-17-2026 10:35 AM

Thanks!  That did it.  I couldn't work out in my head how to make FirstTime part of the second stats output properly.  This is the search now with the corrections:

index=dhcp dhcp_type IN (DHCPACK DHCPOFFER) NOT (dest_hostname IN (PC* LP* GIS* MU* iPhone* iPad*)) 
| stats  earliest(_time) AS FirstTime BY dest_mac dest_hostname dest_ip
| where FirstTime > relative_time(now(), "-30d@d")
| stats latest(FirstTime) AS FirstTime latest(dest_hostname) AS dest_hostname latest(dest_ip) AS dest_ip BY dest_mac
| convert ctime(FirstTime)
| `LOOKUP_OUI(dest_mac)`
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...