Can I take one IP with two different sets of logs ...

aaron_schmuhl · ‎07-21-2015

So, here's my admittedly dumb situation. I have an IPAM appliance(s) that does both DNS and DHCP. The output port for the logs isn't configurable according to the admin, so we're stuck with udp/514. Normally, getting two different IPs into the same port and differentiating traffic is pretty straightforward... but that's not what I have.

Can I somehow take one IP (say 192.168.1.1) with two different set of logs (DNS and DHCP) and somehow import that into two different sourcetypes? Can I determine sourcetype with a regex somehow?

sduff_splunk · ‎07-21-2015

In props.conf (assuming the current sourcetype is udp:514)

[udp:514]
TRANSFORMS-set_sourcetype_ipam = ipam_sourcetype_dns, ipam_sourcetype_dhcp

In transforms.conf

[ipam_sourcetype_dns]
REGEX = <regex for dns event>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ipam:dns

[ipam_sourcetype_dhcp]
REGEX = <regex for dhcp>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ipam:dhcp

You will need to develop your own regexes for the two event types, and put that in the transforms.conf file, and then all future events will be sourcetype'd appropriately.

bmacias84 · ‎07-21-2015

It possible using a transform and props conf. You will have to come up with a regex that will capture the event when a match occurs you will overwrite the meta field for sourcetype. This can be done on a heavy forwarder or indexer.

Can I take one IP with two different sets of logs (DNS and DHCP) and import that into two different sourcetypes?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...