SSO Login is being implemented on this site. Existing users: Your existing password must be reset the first time you login using SSO. Click here to reset your password first before login. Your new username will be your email.



Need to de-dup DHCP lease history for device count report

Posts: 1
1152     0



Just installed the reporting VM IB-v5005, and we are seeing plenty of data. The CIO needs reports of daily device counts per school (each is a 10.0.0/16). I'm weak on rex and Splunk, but have managed to craft the following query ( is one of about 100 of our schools)


sourcetype = ib:dhcp:lease_history index = ib_dhcp_lease_history DEVICE_CLASS="*" LEASE_IP="" | timechart count by DEVICE_CLASS







The problem is, each device can receive a DHCP lease multiple times in a 24 hour period, not just a duplicate from the previous day, but also multiple times a day as the devices go off and on the network, are powered off/on, etc. This school has only 1200 students, so there are not > 5k Macbooks at the school.


How can I de-duplicate the results, so that the counts accurately reflect the actual, unique devices? Ideally, I would de-dup by MAC address.





Showing results for 
Search instead for 
Did you mean: 

Recommended for You