MuS,
Thank you for the quick response. I am now seeing requests from my splunk server to api.macvendors.com so it appears to be trying to search. Now I cannot get the vendor to show up in my table.
Does the | maclookup replace the mac address with the vendor? Does it create a new row in the table?
In the end, I want the table to show:
Time
Source (westannex1 in this example)
Mac Address
Port
Vendor
Based off this syslog data:
Aug 21 14:39:04 192.168.10.18 Aug 21 14:39:03 WestAnnex1 MAC Authentication failed for [0021.7029.3381 ] on port 0/1/47 (Invalid User)
... View more