Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I search for results that share the same Mac address?

shandman
Path Finder
‎10-17-2017 01:34 PM

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:35 PM

Okay, two things - First, make sure your hosts have standardized names. Many systems have "host" sometimes in lower case, sometimes upper, and sometimes short host and sometimes FQDN. Those are all a single host, so you have to standardize the format of dest_nt_host before the stats command.

Second, upload your csv into a lookup, with the host in a field named host then run a search like this...

 index=windows sourcetype=dhcpsrvlog 
| dedup raw_mac,dest_nt_host
|  something that formats your host
| dedup raw_mac,dest_nt_host
| stats values(dest_nt_host) as host by raw_mac 
| where mvcount(host) > 1
| mvexpand host
| lookup myhosts.csv host OUTPUT host as foundme

Then this gets the ones that WERE in the lookup table... 

| where isnotnull(foundme)

...and this gets the ones that were NOT in the lookup table... 

| where isnull(foundme)

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:35 PM

Okay, two things - First, make sure your hosts have standardized names. Many systems have "host" sometimes in lower case, sometimes upper, and sometimes short host and sometimes FQDN. Those are all a single host, so you have to standardize the format of dest_nt_host before the stats command.

Second, upload your csv into a lookup, with the host in a field named host then run a search like this...

 index=windows sourcetype=dhcpsrvlog 
| dedup raw_mac,dest_nt_host
|  something that formats your host
| dedup raw_mac,dest_nt_host
| stats values(dest_nt_host) as host by raw_mac 
| where mvcount(host) > 1
| mvexpand host
| lookup myhosts.csv host OUTPUT host as foundme

Then this gets the ones that WERE in the lookup table... 

| where isnotnull(foundme)

...and this gets the ones that were NOT in the lookup table... 

| where isnull(foundme)
Reply
Solved! Jump to solution

shandman
Path Finder
‎10-19-2017 10:32 AM

Thank you. This is great!

Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-19-2017 11:03 AM

@shandman - Glad we were able to help! If that solved your issue, please "accept" the answer so that folks will know the question is closed.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-17-2017 09:57 PM

Hi @shandman,

This query might help you

index=windows sourcetype=dhcpsrvlog | dedup raw_mac,dest_nt_host| stats count(dest_nt_host) AS hostcount, values(dest_nt_host) by raw_mac | where hostcount > 1

Thanks,
Harshil

Reply
Solved! Jump to solution

shandman
Path Finder
‎10-18-2017 11:14 AM

The query works. For some reason I'm getting over 1000 results. Multiple hosts with the same mac. Weird. Thank you for the response though. I'll keep tinkering.

0 Karma
Reply
Solved! Jump to solution

shandman
Path Finder
‎10-18-2017 11:26 AM

I also just created a .csv lookup file that is pulling cmdb data with mac addresses to workstation. How can i append this search (above) to include the lookup .csv and verify that hosts match?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...