By Splunk October 31, 2013
I don’t use the streamstats command very often, but last week I ended up using it for a customer and finally realized how powerful it is:
The use case was to figure out when a DHCP IP lease address changed for a MAC address. I don’t have access to the real data, so I mocked some up:
"_time","MAC","DHCP_IP"
1378474818,"12:00:00:00:00:00","192.168.2.167"
1378474818,"0a:00:00:00:00:00","192.168.2.123"
Notice for the 54:00:00:00:00:00 MAC address there are 3 changes to the IP address:
Using streamstats and a few cleanup commands, I can quickly see when those changes occur:
source=/Users/kbains/Desktop/dhcp.csv 54:00:00:00:00:00 | head 10 | streamstats current=false last(DHCP_IP) as new_dhcp_ip last(_time) as time_of_change by MAC | where DHCP_IP!=new_dhcp_ip | convert ctime(time_of_change) as time_of_change | rename DHCP_IP as old_dhcp_ip | table time_of_change, MAC, old_dhcp_ip, new_dhcp_ip
----------------------------------------------------
Thanks!
Karandeep Bains