Splunk module for MAC Vendor Lookup API

MAC address Vendor Lookup API is available as an extension for Splunk. It allows doing instant MAC Vendor Lookup and provides an external lookup for enriching MAC addresses with extra details, as well as dashboards which help to visualize MAC address details.

Download the extension: https://splunkbase.splunk.com/app/4308/

Prerequisites

1. 1 You need a Splunk instance up and running. To install and configure it, please refer to the official documentation.

Configuring the extension

1. 1Log in to your Splunk instance.
2. 2Download and install the application. You can do it from within Splunk.
3. 3You can start the configuration immediately once the application is installed and run.
4. 3.2Also, you can configure the application on the Apps page. Click Set up near the application name.
5. 4Fill in your API key and click Save.

Using the extension

1. 1Add data to Splunk. In this tutorial, we use a CSV file containing MAC addresses, but you're free to use any other approaches described in the official Splunk documentation. Go to Settings > Add data.
2. 2Click Upload files from my computer.
3. 3Select your file and press Next.
4. 4We need to configure the timestamp extraction (the name of the corresponding Splunk option on the view) as Current and fill in CSV columns names. Then click Next. In the modal appeared, choose whether or not you’d like to save the source type changes.
5. 5On the Input Settings page, choose the index to which you’d like to save your data. It’s possible to use our pre-built "mac_addresses’ index or another one. Then click Review.
6. 6After reviewing, click Start searching or just go to Apps > Search & Reporting. You can add a lookup clause following your search query. Then choose the time period and click the Search icon.
7. 7Once the results have appeared, you can expand each event to see enriched properties. To perform more comprehensive searches, take a look at the corresponding official documentation.

Advanced usage

MAC address vendor lookup for Splunk provides some pre-built dashboards you can use.

1. 1Firstly, let’s make some visualization based on the MAC addresses found.
   Go to Apps > MAC Address Vendor Lookup > Dashboard
2. 2Fill in the index name "mac_addresses” and the field containing the MAC addresses in the source data.
3. 3Then choose the fields which are supposed to be visible in the drilldown.
4. 4Submit the form and wait for the result. It may take a while depending on the size of your dataset.
   Optionally, you can export a PDF report.
5. 5Besides, you can use instant MAC vendor lookup from within the application.
   Go to Apps > MAC Address Vendor Lookup > MAC Address Vendor Lookup
   Fill in one or more comma-separated mac addresses. Select visible fields and submit the form.