Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.



Need to de-dup DHCP lease history for device count report

New Member
Posts: 1
1596     0



Just installed the reporting VM IB-v5005, and we are seeing plenty of data. The CIO needs reports of daily device counts per school (each is a 10.0.0/16). I'm weak on rex and Splunk, but have managed to craft the following query ( is one of about 100 of our schools)


sourcetype = ib:dhcp:lease_history index = ib_dhcp_lease_history DEVICE_CLASS="*" LEASE_IP="" | timechart count by DEVICE_CLASS







The problem is, each device can receive a DHCP lease multiple times in a 24 hour period, not just a duplicate from the previous day, but also multiple times a day as the devices go off and on the network, are powered off/on, etc. This school has only 1200 students, so there are not > 5k Macbooks at the school.


How can I de-duplicate the results, so that the counts accurately reflect the actual, unique devices? Ideally, I would de-dup by MAC address.





Showing results for 
Search instead for 
Did you mean: 

Recommended for You