Hi I have 3 searches from 3 different device, I would like to have 1 report which contains data from the the 3 devices into 1 line. I am tracking a user who plugs his pc to a switch which in turn asks the DHCP server to assign an IP address to him a role will then be assigned to him by an app server. I want to match the MAC address from logs of the switch to the Mac address from the logs in the DHCP then match the IP address from the DHCP logs to the IP Adress in the App server log. Is this possible? Thanks in advance!
Switch: Switch MAC Address & Local Port
DHCP: MAC Address & IP Address
App Server: IP Address & Role
Report will have :
MAC Address IP Address Role in 1 Line
Edit:
Here are the three searches:
host="10.21.10.23" | rex field=_raw "for client (..[)] on Interface [ ]" | eval switch_mac=switch_mac1.switch_mac2.switch_mac3 | stats count by switch_mac IPort
(host="10.21.10.8" OR host="10.21.10.7") "10.21.23" | rex field=_raw "IP address (? .) is assigned to (? . )[.] ([)]" | stats count by Mac_adr, IPadr
(host="10.21.10.3" OR host="10.21.10.4") "10.21.23" | rex field=_raw " on host (? .) changed from <(? . )> to <(? .*)>" | stats count by clientpc, FromRole, ToRole
Thank You
... View more