I am using a LWF to send Windows DHCP logs to an indexer using this configuration:
[monitor://F:\dhcp] sourcetype = dhcp crcSalt =
The logs that end up on the the indexer look like this:
31,07/11/11,10:44:57,DNS Update Failed,10.1.60.56,. ,,,0,6,,,
I have copied and changed the props.conf to be this:
[dhcp]
TIME_PREFIX=\,
TIME_FORMAT=%m/%d/%y,%T
SHOULD_LINEMERGE=false
REPORT-dhcp=win_dhcp_extract,win_dhcp_expired-deleted
TRANSFORMS-dhcp=null_win_dhcp_header
FIELDALIAS-1=dhcp_id as cef_sid
FIELDALIAS-2=desc as cef_name
LOOKUP-winDHCP-mac=winDHCP_mac-vendorname src_mac_prefix OUTPUT src_mac_vendor
LOOKUP-winDHCP-CEF=winDHCP_CEF-lookup cef_sid OUTPUTNEW
LOOKUP-winDHCP-message=winDHCP_message_lookup dhcp_id OUTPUTNEW
Within the Windows DHCP app I don't have any data displayed; looking for some help on the configuration.
Please refer to the app documentation:
http://splunk-base.splunk.com/apps/22353/windows-dhcp
Saved Searches
Most of the saved searches and dashboards depend on the macro WinDHCP_event
being defined correctly. By default, this event type is defined as "sourcetype=DhcpSrvLog", so if you have performed the initial step of getting the field extractions to work, you should be all set. If you still have problems, please post to answers.splunk.com using the link on this page.
Thus, for in your case, you should change the macro to be sourcetype=dhcp
. You might have to wait 5 or 10 minutes after that for the dashboard's saved searches to work as expected.
The link shows this search - search sourcetype=DhcpSrvLog src_mac_prefix=* | top limit=10 src_mac_vendor showperc=f - with the part before the pipe highlighted.
On one of the dashboards where you are not getting data displayed, there will be a link next to 'no results found'. When you click on this link, it should show you some information on the search that was run, including the search itself. Can you let me know what the search string is?