Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

locate duplicate MAC addresses in dhcp logs

EricPartington
Communicator
‎03-03-2011 06:27 PM

Should be simple to solve, but i'm drawing a blank.

i have three fields i wnat to look at in dhcp logs mac hostname datetime

i'd like to show the mac address and the hostnames that the dhcp logs contain relating to it. There should be only one mac per hostname but where there isnt i'd like to have alist of all the hostnames that have the duplicate.

how best to search for that?

sourcetype=dhcpd eventtype=dhcpack | top mac

should give me a count of all macs that show up in the logs i'd like to see the hostnames that refer to that mac (should be 1 to 1 relationship).

thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 11:02 PM

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname | search macCount>1

It says for each hostname, give me the number of distinct values of mac and call it 'macCount', and give me the distinct values of mac and call it 'mac'. Coming out of the stats clause the 'mac' field will now be a multivalue field.

If you want to expand the list of offenders back out into a result set that has one row per mac-address, I think this will do it: 

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname 
| search macCount>1 | stats count by hostname mac

View solution in original post

Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎03-03-2011 11:05 PM

Assuming you have mac and hostname extracted, I would do the following search:

sourcetype=dhcpd eventtype=dhcpack 
        | table mac hostname
        | dedup mac, hostname
        | mvcombine hostname
        | eventstats distinct_count(hostname) as HostCount by mac 
        | where HostCount > 1

Edit: Beaten to the punch with a better search by Nick. Ain't that always the way.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 11:02 PM

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname | search macCount>1

It says for each hostname, give me the number of distinct values of mac and call it 'macCount', and give me the distinct values of mac and call it 'mac'. Coming out of the stats clause the 'mac' field will now be a multivalue field.

If you want to expand the list of offenders back out into a result set that has one row per mac-address, I think this will do it: 

<your search> | stats dc(mac) as macCount values(mac) as mac by hostname 
| search macCount>1 | stats count by hostname mac
Reply
Solved! Jump to solution

EricPartington
Communicator
‎03-05-2011 03:43 AM

Thanks for the solutions everyone, nice to know there are many ways to solve the problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...