Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mapping syslog events with IP adresses through DHCP events

Stefan_van_de_R
Explorer
‎03-30-2012 08:02 AM

Hi,

I'm indexing DHCP and Syslog events. To make it for the network administrators a lot easier when they have to know the physical location on a host based on the IP address, I want to make a mapping in Splunk. They both have a MAC Adress (src_mac) so it should be possible to extract the IP address out of the DHCP index.

The search query I made so far does an left join on the dhcp index but it returns a wrong IP address. 

index=syslog | join type=left [search index=main sourcetype=dhcp_log src_ip != '' AND src_mac != '' earliest=-8h | sort -_time| fields + src_ip]

Can someone gives me some tips how to make it valid?

Thanks!
- Stefan

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎03-30-2012 08:26 AM

You should join on a common field for both searches (the outer and the sub-search). Here's an example that would work if both searches provide the src_ip field. If the fields have different names you can either use a FIELDALIAS (in props.conf) or use eval or rename to normalize it.

index=syslog | join src_ip usetime=true ealier=true [ search index=main sourcetype=dhcp_log src_ip=* src_mac=* | fields _time src_ip src_mac ]

Additionally I added the usetime modifier for the join command as this probably makes sense for this kind of use-case.

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎03-30-2012 08:26 AM

You should join on a common field for both searches (the outer and the sub-search). Here's an example that would work if both searches provide the src_ip field. If the fields have different names you can either use a FIELDALIAS (in props.conf) or use eval or rename to normalize it.

index=syslog | join src_ip usetime=true ealier=true [ search index=main sourcetype=dhcp_log src_ip=* src_mac=* | fields _time src_ip src_mac ]

Additionally I added the usetime modifier for the join command as this probably makes sense for this kind of use-case.

Reply
Solved! Jump to solution

Stefan_van_de_R
Explorer
‎04-02-2012 01:59 AM

Thanks Ziegfried for your fast response!
With the query showed below Splunk makes a correct mapping altough I am going to try as well to use Lookups with CSV files to map the different events as the subsearch has a bad influence on the loading performance.

index=syslog | join src_mac usetime=true earlier=true [ search index=main sourcetype=dhcp_log src_ip= src_mac= | fields _time src_ip src_mac ]

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...