01-23-2019 01:55 PM
Just installed the reporting VM IB-v5005, and we are seeing plenty of data. The CIO needs reports of daily device counts per school (each is a 10.0.0/16). I'm weak on rex and Splunk, but have managed to craft the following query (10.1.0.0/16 is one of about 100 of our schools)
sourcetype = ib:dhcp:lease_history index = ib_dhcp_lease_history DEVICE_CLASS="*" LEASE_IP="10.1.0.0/16" | timechart count by DEVICE_CLASS
The problem is, each device can receive a DHCP lease multiple times in a 24 hour period, not just a duplicate from the previous day, but also multiple times a day as the devices go off and on the network, are powered off/on, etc. This school has only 1200 students, so there are not > 5k Macbooks at the school.
How can I de-duplicate the results, so that the counts accurately reflect the actual, unique devices? Ideally, I would de-dup by MAC address.