**Background:**
I have a directory/folder of CSV files containing the following fields:
mac ;IP;devicename;interface;vlan which is being indexed into switchlogs.
[collected from all my LAN switches]
Currently, to check if an IP address is older than 90 I use the following search:
index="switchlogs" IP=xxx.xxx.xxx.xxx daysago=90 | timechart count | sort by _time desc
Any results returned tells me that IP has been active in the last 90 days.
eg.
2018-08-16 0
2018-08-15 92
2018-08-14 108
2018-08-13 112
2018-08-12 106
**Question:**
How do I get a table of IP addresses which have expired [not seen in 90 days] in one single search.
[maybe I can use a lookup table to check against?]
For example,
xxx.xxx.xxx.xxx last seen on the network
thankyou
↧