Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Tying username to ip address

pkliewer
New Member
‎02-20-2016 10:30 AM

I have 2 logs being imported into Splunk Cloud -
Proxy logs that contain ip address, url, etc (all successfully extracted)
DHCP logs that contain username & ip address

What's the best way to tie the 2 together so I can assign a username to the proxy logs? Does a nightly report work best?

Proxy Fields: Time, IP Address, URL, Category
DHCP Log: Username, IP Address, Time IP assigned (client usually keeps same IP address the entire time, so I'd be searching on who had the IP address assigned last - this could be 2 hours ago or 1 month ago since this log only updates if their IP address changes, not if the ip address is renewed)

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2016 01:00 PM

Your DHCP logs probably mean something like "from now on for the next X amount of time, this IP belongs to that person", right?

Using that, I'd build a time-based lookup containing the timestamp of the lease as the lookup's time field, the IP and user to do the actual looking up, and with the maximum offset in props.conf set to the lease duration your DHCP uses. Define a frequently running scheduled search that updates the lookup with the latest incoming DHCP events to keep things fresh. Define a rarely running search to prune very old data from the lookup.

The great thing about a time-based lookup is that it'll cope well with re-assigning an IP to someone else - it's practically built for this kind of thing. If you have an event at, say, 4pm with IP 1.2.3.4 it'll look for the most recent entry before 4pm for that IP within the maximum offset / lease duration. That'll work even if 1.2.3.4 was assigned to someone else at 5pm, and it'll also work if you search for events from a long time ago - provided you still have both the proxy logs and the entries in the DHCP-fed lookup.

0 Karma
Reply

hsesterhenn_spl
Splunk Employee
Splunk Employee
‎02-25-2016 09:57 AM

Great answer.

In addition you can run another scheduled search to store the combined information in a summary index.

Using this option you don't have to do the lookup every time you search.

HTH,

Holger

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...