Hello everyone, I am currently trying to get a list of mac addresses that can't authenticate within the cisco ise. I already created a search String for those events. search tag="authentication" eventtype="cisco-ise" "NOTICE Failed-Attempt: Authentication failed" | dedup EndPointMACAddress This search string works fine so far, but here comes the problem. It's possible that a client can't authenticate itself during the bootup (generating a fail event). After the bootup, the authentication succeeds (generating success event). Those clients are erroneously in the failed authentications event list. So I would create two searches: tag="authentication" eventtype="cisco-ise" "NOTICE Passed-Authentication: Authentication succeeded" | dedup EndPointMACAddress tag="authentication" eventtype="cisco-ise" "NOTICE Failed-Attempt: Authentication failed" | dedup EndPointMACAddress Now i need to check every unique mac from the failed list in comparison to the succeeded list, but i've absolutely now clue how to realize this. I hope you can give me some helpful tips. I'm sorry for my bad english. Hopefully the problem is clear. greetings ... View more