Solved: One MAC multiple IP's Table View

hartfoml · ‎01-21-2014

I have a search like this

index="wireless" DHCP ACK | table _time src_mac src_ip

I would like to show a table of MAC and the assoseated IP's the MAC has used and when it recieved the IP

Like this:

fc:c7:34:de:58:56 1/1/2013 123.45.6.789

                           1/2/2013       123.45.6.978

fc:25:3f:a0:6d:bb 2/1/2013 123.45.6.912

                           2/3/1023       123.45.6.864

Ayn · ‎01-21-2014

How about

index="wireless" DHCP ACK | stats list(_time) as time,list(src_ip) as src_ip by src_mac | convert ctime(time)

Ayn · ‎01-21-2014

How about

index="wireless" DHCP ACK | stats list(_time) as time,list(src_ip) as src_ip by src_mac | convert ctime(time)

hartfoml · ‎01-21-2014

If I could bother you for one more thing.

If I wanted to use the transaction commend but only find the src_mac that have more than one IP how could I do that?

hartfoml · ‎01-21-2014

Wow this is great stuff. Thanks Ayn

Ayn · ‎01-21-2014

...or if you want to use transaction for some reason,

index="wireless" DHCP ACK | transaction src_mac | table src_mac _time src_ip

One MAC multiple IP's Table View