Reply
Highlighted

Inactive IP Addresses Report

Adviser
Posts: 244
1420     0
<form>
  <label>Inactive IP Addresses</label>
  <description>System-created dashboard: Please clone before editing.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-32d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="network_view">
      <label>Network View</label>
      <choice value="All">All</choice>
      <search>
        <query>source=ib:discovery:ipaddr_activity index=ib_discovery
               | stats count by NETWORK_VIEW</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>NETWORK_VIEW</fieldForLabel>
      <fieldForValue>NETWORK_VIEW</fieldForValue>
      <change>
        <condition value="All">
          <set token="network_view_str"> </set>
        </condition>
        <condition value="*">
          <set token="network_view_str">NETWORK_VIEW="$value$"</set>
        </condition>
      </change>
      <default>All</default>
    </input>
    <input type="text" token="discovered_name">
      <label>Device Name</label>
      <default>All</default>
      <change>
        <condition value="All">
          <set token="discovered_name_str"> </set>
        </condition>
        <condition value="*">
          <set token="discovered_name_str">DISCOVERED_NAME="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>source=ib:discovery:ipaddr_activity index=ib_discovery
            $network_view_str$
            $discovered_name_str$
            | where (IPADDR_MASK % 4) &gt; 0
            | sort 0 _time
            | streamstats current=false last(NON_NULL_PORT) as PREV_NON_NULL_PORT last(NON_NULL_NAME) as PREV_NON_NULL_NAME by IPADDR NETWORK_VIEW
            | eval A2I=if((NON_NULL_PORT=="") AND ((PREV_NON_NULL_PORT!="") OR (isnull(PREV_NON_NULL_PORT)) OR (len(PREV_NON_NULL_PORT)==0)) AND (_time &lt; relative_time(now(), "-1w@d")), 1, 0)
            | eval SHOWN_COMPONENT_NAME = if((NON_NULL_NAME=="") AND (PREV_NON_NULL_NAME!=""), PREV_NON_NULL_NAME, NON_NULL_NAME)
            | eval SHOWN_COMPONENT_PORT = if((NON_NULL_PORT=="") AND (PREV_NON_NULL_PORT!=""), PREV_NON_NULL_PORT, NON_NULL_PORT)
            | eval ACTIVE=if((NON_NULL_PORT!=""), 1, 0)
            | where ((A2I==1) OR (ACTIVE==1))
            | sort 0 -_time
            | dedup IPADDR, NETWORK_VIEW 
            | where (A2I==1) AND (IN_USE_FLAG==1)
            | eval SHOWN_INTERFACE = SHOWN_COMPONENT_NAME + if(len(SHOWN_COMPONENT_NAME)==0, SHOWN_COMPONENT_PORT, ": "+SHOWN_COMPONENT_PORT)
            | rename IPADDR as IP DISCOVERED_MAC_DUID as "Last MAC/DUID" DISCOVERED_NAME as "Device Name" DEVICE_TYPE as "Device Type" SHOWN_INTERFACE as "Port / Interface" NETWORK_VIEW as "Network View"
            | table IP "Last MAC/DUID" Type "Device Name" "Device Type" "Port / Interface" "Network View"
            | sort +ip(IP) +str("Network View")
          </query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
If you appreciate my efforts, please give me a kudo ↓ or Accept as solution to help others find it faster.
Showing results for 
Search instead for 
Do you mean 

Recommended for You