Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

subsearch in a stats command?

ilhwan
Path Finder
‎02-17-2026 09:36 AM

I'm using this command to search dhcp logs and find devices that are new in the last 30 days other than a list of expected hostnames:

index=dhcp dhcp_type IN (DHCPACK DHCPOFFER) NOT (dest_hostname IN (PC* LP* GIS* MU* iPhone* iPad*))
| stats earliest(_time) AS FirstTime by dest_mac 
| where FirstTime > relative_time(now(), "-30d@d")
| convert ctime(FirstTime)
| `LOOKUP_OUI(dest_mac)`

I would like to display the latest dest_hostname and its IP address (dest_ip) by searching again just to populate those fields.  I don't want to add them to the stats statement because I don't want to differentiate when IP address or hostname change.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2026 10:24 AM

Try something like this

| stats latest(FirstTime) AS FirstTime latest(dest_hostname) as dest_hostname latest(dest_ip) as dest_ip by dest_mac

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2026 10:02 AM

Try something like this

index=dhcp dhcp_type IN (DHCPACK DHCPOFFER) NOT (dest_hostname IN (PC* LP* GIS* MU* iPhone* iPad*))
| stats earliest(_time) AS FirstTime by dest_mac dest_hostname dest_ip
| where FirstTime > relative_time(now(), "-30d@d")
| stats earliest(_time) AS FirstTime earliest(dest_hostname) as dest_hostname earliest(dest_ip) as dest_ip by dest_mac
| convert ctime(FirstTime)
| `LOOKUP_OUI(dest_mac)`
0 Karma
Reply
Solved! Jump to solution

ilhwan
Path Finder
‎02-17-2026 10:21 AM

It's close.  Changing earliest(dest_hostname) and earliest(dest_ip) to latest(dest_hostname) and latest(dest_ip) gave me what I wanted in those fields, but now FirstTime is blank.

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2026 10:24 AM

Try something like this

| stats latest(FirstTime) AS FirstTime latest(dest_hostname) as dest_hostname latest(dest_ip) as dest_ip by dest_mac
0 Karma
Reply
Solved! Jump to solution

ilhwan
Path Finder
‎02-17-2026 10:35 AM

Thanks!  That did it.  I couldn't work out in my head how to make FirstTime part of the second stats output properly.  This is the search now with the corrections:

index=dhcp dhcp_type IN (DHCPACK DHCPOFFER) NOT (dest_hostname IN (PC* LP* GIS* MU* iPhone* iPad*)) 
| stats  earliest(_time) AS FirstTime BY dest_mac dest_hostname dest_ip
| where FirstTime > relative_time(now(), "-30d@d")
| stats latest(FirstTime) AS FirstTime latest(dest_hostname) AS dest_hostname latest(dest_ip) AS dest_ip BY dest_mac
| convert ctime(FirstTime)
| `LOOKUP_OUI(dest_mac)`
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...