Activity Feed
- Posted Re: How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 09:58 AM
- Posted Re: How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 09:34 AM
- Posted Re: How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 03:43 AM
- Posted How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 03:10 AM
- Tagged How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 03:10 AM
- Tagged How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 03:10 AM
- Tagged How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 03:10 AM
- Tagged How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 03:10 AM
- Tagged How do I create a search which takes a list of items as input and returns a table on Splunk Search. 04-11-2015 03:10 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
04-11-2015
09:58 AM
That makes perfect sense. Now your query will serve my needs, but let me ask for a little clarification. fdi01 above listed a way to include a list in the query... "stats values(srcMac) as "liste of srcMac " by time". Your query will give me the last for every single MAC address, but let's say I am only interested in 10 MAC addresses. I could use your query and dump everything to a spreadsheet and then search for the ones I am interested in, but how would I limit the searching to a set of MACs vs every single one.
Would something like this work:
srcMac=* as "list" time=*|stats first(time) by srcMac
Sorry I am a newbie at this.
... View more
04-11-2015
09:34 AM
OK I think that's it, except for some reason, your query returns the first occurances of each srcMac. So I tried:
srcMac=* time=*|stats first(time) by srcMac
That did the trick. I guess the query searches for the first database occurrence searching backwards from most recent. Is this true?
... View more
04-11-2015
03:43 AM
Thanks for the quick response, but your query returns every single srcMac and the time of it's entry. This will return millions of records per day. I need only the last entry for each srcMac. If I add | head 1 to the query, I only get the last one record, not the last one record per srcMac.
... View more
04-11-2015
03:10 AM
I am using Splunk to log all data from a firewall. I get records that contain MAC addresses and timestamps among many other fields. An example of these fields would be:
time="2015-03-28 12:03:17" srcMac=f0:a2:25:82:b0:c1
I am trying to write a search or dashboard or report that will allow me to import a list of srcMac values and have it return a table that lists the input values and the last time that each srcMac has appeared in the logs. The following search will give me what I want for one value:
f0:a2:25:82:b0:c1 | head 1 | table time, srcMac
The question is, how do I make this loop through a list of srcMac values and create one table listing each?
... View more
