- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Counting active wireless lan clients with openwrt ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Counting active wireless lan clients with openwrt syslog
Hi guys,
I'm new to splunk and searching for a solution to count the active wireless lan clients in my network.
I'm using openwrt accesspoints with syslog output.
A message of an authenticated clients looks like the following:
Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA XX:XX:XX:XX:XX:XX IEEE 802.11: authenticated
A message of an deauthenticated client looks like the following:
Jan 26 14:02:47 192.168.0.11 Jan 26 14:02:47 hostapd: wlan0-2: STA XX:XX:XX:XX:XX:XX IEEE 802.11: deauthenticated due to local deauth request
How can I count all clients / MAC-Addresses that got the last message authentication and no previous deauthentication?
Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this run anywhere search
| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123456 IEEE 802.11: authenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)" | append [| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123456 IEEE 802.11: deauthenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)"] | append [| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123452 IEEE 802.11: authenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)"] | append [| makeresults | eval raw="Jan 26 13:59:03 192.168.0.11 Jan 26 13:59:03 hostapd: wlan0-2: STA 123458 IEEE 802.11: deauthenticated" | rex field=raw ".*(?<ip>\d{6}).*IEEE.*:\s(?<status>\w+)"] | stats values(status) as status by ip |eval a=mvindex(status,0) |eval b=mvindex(status,1) | search a="authenticated" OR b="authenticated" NOT (a="deauthenticated" OR b="deauthenticated")
in your environment, suppose you have common field mac_ip then try
index=<your_index> mac_ip=* (authenticated OR deauthenticated) | rex field=_raw "IEEE.*:\s(?<status>\w+)"] | stats values(status) as status by mac_ip |eval a=mvindex(status,0) |eval b=mvindex(status,1) | search a="authenticated" OR b="authenticated" NOT (a="deauthenticated" OR b="deauthenticated") | stats count(mac_ip)
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there any common field for client like clientip,clientusername,clientid which is unique to that client?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi mayurr98, thank you!
The MAC-Address (e.g XX:XX:XX:XX:XX:XX) is unique.
I think looking for the MAC and maybe auth / deauth is a good combination, maybe..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have done that only, have you tried the solution given below?
Accept the answer to resolve this question if it is working for you!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
