streamstats example

I don’t use the streamstats command very often, but last week I ended up using it for a customer and finally realized how powerful it is:

The use case was to figure out when a DHCP IP lease address changed for a MAC address. I don’t have access to the real data, so I mocked some up:


Notice for the 54:00:00:00:00:00 MAC address there are 3 changes to the IP address:

Using streamstats and a few cleanup commands, I can quickly see when those changes occur:

source=/Users/kbains/Desktop/dhcp.csv 54:00:00:00:00:00 | head 10 | streamstats current=false last(DHCP_IP) as new_dhcp_ip last(_time) as time_of_change by MAC | where DHCP_IP!=new_dhcp_ip | convert ctime(time_of_change) as time_of_change | rename DHCP_IP as old_dhcp_ip | table time_of_change, MAC, old_dhcp_ip, new_dhcp_ip

Karandeep Bains
Posted by

Karandeep Bains

Join the Discussion