I have a small DTrace app that monitors ARP requests and replies, producing output like this:
2010 Sep 1 03:10:08 [type=Reply][senderMAC=0:3:ba:d1:1e:17][senderIP=1.2.3.4][targetMAC=0:1:d7:3b:55:44][targetIP=1.2.3.5]
I'm interested in knowing if any (senderMAC, senderIP) pair differs from previously seen instances over some period of time, in roughly the way that arpwatch would alert me of a change.
Can't quite work out a strategy for this in Splunk. Any help?
Probably needs tweaking, but these should give you some ideas...
Simplest approach
Look over some period for any cases where one IP address has more than one MAC address:
eventtype=foo | stats dc(senderMAC) as MACCount list(senderMAC) by senderIP
| search MACCount > 1
Track all New MACs for a given IP
Search 1 -- Tracking:
eventtype=foo | dedup senderIP, senderMAC | fields senderIP, senderMAC
| outputlookup arplookup
Search 2 -- Alerting:
eventtype=foo | dedup senderIP, senderMAC
| lookup arplookup senderIP OUTPUT senderMAC as oldMAC
| search oldMAC=* NOT senderMAC=oldMAC
This should have the (desirable or undesirable) side effect of also alerting on all new pairs, not just when a MAC address changes...
Search 1 -- Tracking:
eventtype=foo | dedup senderMAC, senderIP | eval knownpair =1
| fields senderMAC,senderIP,knownpair | outputlookup macpairs
Search 2 -- Alerting:
eventtype=foo | lookup macpairs senderMAC, senderIP OUTPUT knownpair
| search NOT knownpair=1
Ah, jeeze, a lookup table. I should have thought of that.
Thank you!