Skip to content

Instantly share code, notes, and snippets.

@tfhartmann

tfhartmann/splunktalk_trackamac.md

Created September 25, 2013 14:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tfhartmann/6700534 to your computer and use it in GitHub Desktop.
Save tfhartmann/6700534 to your computer and use it in GitHub Desktop.
Download ZIP
Splunk Searches from Talk
Raw
splunktalk_trackamac.md

I love this search, it's got a subsearch, from an input file, lookup, eval.. and a field extraction, it's got it all!

index=dhcp eventtype="dhcpd_server" NOT DHCPEXPIRE [| inputlookup mac_tracking.csv | fields mac ] | rex field=_raw "DHCP(ACK on|REQUEST for) (?<clientip>(?<!\d)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?!\d)) (to|for)" | rename clientip as host | lookup huis host | eval Link="http://map.harvard.edu/?bld=".bld_root | rename  huid as HUID, mac as "MAC Address", mac_status as "Laptop Status", match_string as "Location", ip as "IP Address", src_translated_ip as "External IP Address" | transaction _time,mac| table _time, HUID, "Location", "MAC Address", "IP Address", "External IP Address","Laptop Status", Link
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment