Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

Need to de-dup DHCP lease history for device count report

New Member
Posts: 1
1581     0

HI;

 

Just installed the reporting VM IB-v5005, and we are seeing plenty of data. The CIO needs reports of daily device counts per school (each is a 10.0.0/16). I'm weak on rex and Splunk, but have managed to craft the following query (10.1.0.0/16 is one of about 100 of our schools)

 

sourcetype = ib:dhcp:lease_history index = ib_dhcp_lease_history DEVICE_CLASS="*" LEASE_IP="10.1.0.0/16" | timechart count by DEVICE_CLASS

 

 

 

IB-Query-1.png

 

IB-Query-2.png

The problem is, each device can receive a DHCP lease multiple times in a 24 hour period, not just a duplicate from the previous day, but also multiple times a day as the devices go off and on the network, are powered off/on, etc. This school has only 1200 students, so there are not > 5k Macbooks at the school.

 

How can I de-duplicate the results, so that the counts accurately reflect the actual, unique devices? Ideally, I would de-dup by MAC address.

 

Thanks!

 

Steve

Showing results for 
Search instead for 
Did you mean: 

Recommended for You