- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Infoblox: For a single syslog fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings;
I am trying to ingest Infoblox logs received via syslog. Documentation states DNS logs should be sourcetype infoblox:dns , and DHCP as infoblox:dhcp. Both logs are combined, so which sourcetype should I use?
Is it possible (I am not the Infoblox admin) to separate these logs differently through syslog?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I haven't used it in production yet but if you look at props and transforms, it's just expecting the following two sourcetypes initially:
[infoblox:port]
TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
TRUNCATE = 0
[infoblox:file]
TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = false
TRUNCATE = 0
After that it will look at the data and assign it a sourcetype:
[infoblox_branch_source_type_1]
DEST_KEY = MetaData:Sourcetype
REGEX = \sdhcpd\[
FORMAT = sourcetype::infoblox:dhcp
[infoblox_branch_source_type_2]
DEST_KEY = MetaData:Sourcetype
REGEX = \snamed\[
FORMAT = sourcetype::infoblox:dns
So to answer your question. You should use infoblox:port if this is coming via Syslog or infoblox:file if you are reading it from a file.
Give it a go and let me know if that works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check this as well..
https://answers.splunk.com/answers/105106/splunk-for-infoblox.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I haven't used it in production yet but if you look at props and transforms, it's just expecting the following two sourcetypes initially:
[infoblox:port]
TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
TRUNCATE = 0
[infoblox:file]
TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = false
TRUNCATE = 0
After that it will look at the data and assign it a sourcetype:
[infoblox_branch_source_type_1]
DEST_KEY = MetaData:Sourcetype
REGEX = \sdhcpd\[
FORMAT = sourcetype::infoblox:dhcp
[infoblox_branch_source_type_2]
DEST_KEY = MetaData:Sourcetype
REGEX = \snamed\[
FORMAT = sourcetype::infoblox:dns
So to answer your question. You should use infoblox:port if this is coming via Syslog or infoblox:file if you are reading it from a file.
Give it a go and let me know if that works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, that did the trick!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
