cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
dtilly
New Member
Member since: ‎04-11-2015
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-11-2015
Activity Feed
View All

Re: How do I create a search which takes a list of...

by in Splunk Search
‎04-11-2015 09:58 AM
‎04-11-2015 09:58 AM
That makes perfect sense. Now your query will serve my needs, but let me ask for a little clarification. fdi01 above listed a way to include a list in the query... "stats values(srcMac) as "liste of srcMac " by time". Your query will give me the last for every single MAC address, but let's say I am only interested in 10 MAC addresses. I could use your query and dump everything to a spreadsheet and then search for the ones I am interested in, but how would I limit the searching to a set of MACs vs every single one. Would something like this work: srcMac=* as "list" time=*|stats first(time) by srcMac Sorry I am a newbie at this. ... View more

Re: How do I create a search which takes a list of...

by in Splunk Search
‎04-11-2015 09:34 AM
‎04-11-2015 09:34 AM
OK I think that's it, except for some reason, your query returns the first occurances of each srcMac. So I tried: srcMac=* time=*|stats first(time) by srcMac That did the trick. I guess the query searches for the first database occurrence searching backwards from most recent. Is this true? ... View more

Re: How do I create a search which takes a list of...

by in Splunk Search
‎04-11-2015 03:43 AM
‎04-11-2015 03:43 AM
Thanks for the quick response, but your query returns every single srcMac and the time of it's entry. This will return millions of records per day. I need only the last entry for each srcMac. If I add | head 1 to the query, I only get the last one record, not the last one record per srcMac. ... View more

How do I create a search which takes a list of ite...

by in Splunk Search
‎04-11-2015 03:10 AM
‎04-11-2015 03:10 AM
I am using Splunk to log all data from a firewall. I get records that contain MAC addresses and timestamps among many other fields. An example of these fields would be: time="2015-03-28 12:03:17" srcMac=f0:a2:25:82:b0:c1 I am trying to write a search or dashboard or report that will allow me to import a list of srcMac values and have it return a table that lists the input values and the last time that each srcMac has appeared in the logs. The following search will give me what I want for one value: f0:a2:25:82:b0:c1 | head 1 | table time, srcMac The question is, how do I make this loop through a list of srcMac values and create one table listing each? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM