Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I search for results that share the same Mac address?

shandman
Path Finder
‎10-17-2017 01:34 PM

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:35 PM

Okay, two things - First, make sure your hosts have standardized names. Many systems have "host" sometimes in lower case, sometimes upper, and sometimes short host and sometimes FQDN. Those are all a single host, so you have to standardize the format of dest_nt_host before the stats command.

Second, upload your csv into a lookup, with the host in a field named host then run a search like this...

 index=windows sourcetype=dhcpsrvlog 
| dedup raw_mac,dest_nt_host
|  something that formats your host
| dedup raw_mac,dest_nt_host
| stats values(dest_nt_host) as host by raw_mac 
| where mvcount(host) > 1
| mvexpand host
| lookup myhosts.csv host OUTPUT host as foundme

Then this gets the ones that WERE in the lookup table... 

| where isnotnull(foundme)

...and this gets the ones that were NOT in the lookup table... 

| where isnull(foundme)

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:35 PM

Okay, two things - First, make sure your hosts have standardized names. Many systems have "host" sometimes in lower case, sometimes upper, and sometimes short host and sometimes FQDN. Those are all a single host, so you have to standardize the format of dest_nt_host before the stats command.

Second, upload your csv into a lookup, with the host in a field named host then run a search like this...

 index=windows sourcetype=dhcpsrvlog 
| dedup raw_mac,dest_nt_host
|  something that formats your host
| dedup raw_mac,dest_nt_host
| stats values(dest_nt_host) as host by raw_mac 
| where mvcount(host) > 1
| mvexpand host
| lookup myhosts.csv host OUTPUT host as foundme

Then this gets the ones that WERE in the lookup table... 

| where isnotnull(foundme)

...and this gets the ones that were NOT in the lookup table... 

| where isnull(foundme)
Reply
Solved! Jump to solution

shandman
Path Finder
‎10-19-2017 10:32 AM

Thank you. This is great!

Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-19-2017 11:03 AM

@shandman - Glad we were able to help! If that solved your issue, please "accept" the answer so that folks will know the question is closed.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-17-2017 09:57 PM

Hi @shandman,

This query might help you

index=windows sourcetype=dhcpsrvlog | dedup raw_mac,dest_nt_host| stats count(dest_nt_host) AS hostcount, values(dest_nt_host) by raw_mac | where hostcount > 1

Thanks,
Harshil

Reply
Solved! Jump to solution

shandman
Path Finder
‎10-18-2017 11:14 AM

The query works. For some reason I'm getting over 1000 results. Multiple hosts with the same mac. Weird. Thank you for the response though. I'll keep tinkering.

0 Karma
Reply
Solved! Jump to solution

shandman
Path Finder
‎10-18-2017 11:26 AM

I also just created a .csv lookup file that is pulling cmdb data with mac addresses to workstation. How can i append this search (above) to include the lookup .csv and verify that hosts match?

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...