Infoblox DHCP log extraction

sholmes · ‎06-12-2014

Hello,
How do you get the IP address from dhcpack from a log with the following format and the mac address?
<30>Jun 12 10:40:44 172.20.10.23 dhcpd[3360]: DHCPACK on 172.20.194.157 to 5c:f9:38:ad:fe:88 (Specht00-AIR) via eth2 relay 172.29.192.5 lease-duration 86400 (RENEW).

I tried this search
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "on\s(?\d+-\d+-\d+-\d+-)"

TonyLeeVT · ‎02-29-2016

The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end

Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes

TA is available here: https://splunkbase.splunk.com/app/2934/#/overview

richgalloway · ‎06-12-2014

This regex worked for me on RegExr using your sample event.

rex "on\s(?<ip>\d+\.\d+\.\d+\.\d+)"

---
If this reply helps you, Karma would be appreciated.

sholmes · ‎06-12-2014

This worked with below to generate a table of IP address.
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex "on\s(?\d+.\d+.\d+.\d+)" | table ip

kmscalf · ‎06-12-2014

Try this for IP

sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=on\s)\d{2,3}.\d{2,3}.\d{2,3}.\d{2,3})"

sholmes · ‎06-12-2014

worked to generate the information but now with other commands
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=ons)d{2,3}.d{2,3}.d{2,3}.d{2,3})" | table ip

Infoblox DHCP log extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life