I am receiving logs that show me when a mac address appears on my network switch and when it is removed
logs i receive look like this:
Feb 13 12:04:21 switch mac_action[1105]: action=learned, mac_addr=13:26:AA:AA:D1:A4, reporting_host=switch.local, vlan_num=3
Feb 13 12:05:01 switch mac_action[1406]: action=removed, mac_addr=13:26:AA:AA:D1:A4, reporting_host=switch.local, vlan_num=3
Feb 13 12:05:21 switch mac_action[1606]: action=learned, mac_addr=FF:26:AA:BB:D1:A4, reporting_host=switch.local, vlan_num=3
I am searching to find what is currently on the switch using the following search:
host=myhost | transaction mac_addr vlan_num startswith="learned" endswith="removed" keepevicted=true | search closed_txn="0"
This search, however, limits me by omitting hosts that were learnt before the time-window of my search and just feels more costly than what I think could be done
I've been playing around with streamstats a bit as I listen to SplunkTalk #64 - might that be a viable solution to accomplish this? Anyone with any ideas on how I might make a more efficient search?
Thanks!
My short answer is the blog post I think about whenever I see a question regarding keeping track of states: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
I know it may not be an answer to the exact question you're asking, but hopefully it can shed some insight into other good strategies for achieving what you want 🙂
You'll always have the problem with the time window, since you're not looking at a state table (i.e. currently active MACs). No matter how far back you go, you always run the risk of missing the MAC addresses that were learned outside the chosen time window.
I don't have access to those type of logs, so I this may not be wholly adequate, by you might achieve better performance with something like;
your search | eval ZZZ = case(action == learned, "1", action == removed, "-1") | stats sum(ZZZ) as XXX by mac_addr vlan_num | where XXX > 0
i.e. XXX will be a positive number if there are more "learned" than "removed"
Or you could perhaps even more simply do something like;
your search | dedup mac_addr | search action=learned | table mac_addr vlan_num
i.e. find the most recent event for each MAC, filter out all but learned
Hope this helps,
Kristian
My short answer is the blog post I think about whenever I see a question regarding keeping track of states: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
I know it may not be an answer to the exact question you're asking, but hopefully it can shed some insight into other good strategies for achieving what you want 🙂
Hey Thanks!
Off the bat, this seems to address my question pretty well!
I've got it up and running and I will see if I encounter any issues