Hi again,
The following search, or something similar would probably be sufficient;
sourcetype=dhcp DHCPDISCOVER earliest=-8h latest=-4h
| stats c AS OLD_DISCOVERIES by MAC |join MAC type=outer [search
sourcetype=dhcp DHCPDISCOVER earliest=-4h latest=now
| stats c AS NEW_DISCOVERIES by MAC] | fillnull
| eval change_in_percent=round((NEW_DISCOVERIES/OLD_DISCOVERIES -1) * 100,1)
| where change_in_percent > 500
Since I didn't have your data, I had to play with other sources/sourcetypes/fields - but I think that this should work for you. Still assuming that you have a sourcetype of 'dhcp' and that MAC-addresses are extracted into the 'MAC' field.
Basically, this is a comparison of two searches - each with a 4 hour time span. Unfortunately, I needed to use the 'join' function to make this work - and this is generally expensive. There are probably other more efficient ways of linking the inner and outer searches. In my tests the results came back quickly, but then I only had a few thousand events to play with.
You might already have field extraction for DHCPDISCOVER, and if so, you should probably use that. Also, you may want to change the time constraints, but this is up to you.
Hope this helps,
Kristian
... View more