Hi guys,
I'm new to splunk and searching for a solution to count the active wireless lan clients in my network.
I'm using openwrt accesspoints with syslog output.
A message of an authenticated clients looks like the following:
Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA XX:XX:XX:XX:XX:XX IEEE 802.11: authenticated
A message of an deauthenticated client looks like the following:
Jan 26 14:02:47 192.168.0.11 Jan 26 14:02:47 hostapd: wlan0-2: STA XX:XX:XX:XX:XX:XX IEEE 802.11: deauthenticated due to local deauth request
How can I count all clients / MAC-Addresses that got the last message authentication and no previous deauthentication?
Thanks a lot!
Try this run anywhere search
| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123456 IEEE 802.11: authenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)" | append [| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123456 IEEE 802.11: deauthenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)"] | append [| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123452 IEEE 802.11: authenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)"] | append [| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123458 IEEE 802.11: deauthenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)"] | stats values(status) as status by ip |eval a=mvindex(status,0) |eval b=mvindex(status,1) | search a="authenticated" OR b="authenticated" NOT (a="deauthenticated" OR b="deauthenticated")
in your environment, suppose you have common field mac_ip
then try
index=<your_index> mac_ip=* (authenticated OR deauthenticated) | rex field=_raw "IEEE.*:\s(?<status>\w+)"] | stats values(status) as status by mac_ip |eval a=mvindex(status,0) |eval b=mvindex(status,1) | search a="authenticated" OR b="authenticated" NOT (a="deauthenticated" OR b="deauthenticated") | stats count(mac_ip)
let me know if this helps!
is there any common field for client like clientip,clientusername,clientid
which is unique to that client?
hi mayurr98, thank you!
The MAC-Address (e.g XX:XX:XX:XX:XX:XX) is unique.
I think looking for the MAC and maybe auth / deauth is a good combination, maybe..
Yes, I have done that only, have you tried the solution given below?
Accept the answer to resolve this question if it is working for you!