Running this in my lab, I've installed the infoblox ta, and ingested a log file from our infoblox appliance. I assigned the infoblox:file sourcetype to the ingested data, but I'm not seeing any infoblox:dns or infoblox:dhcp sourcetypes. Running btool transforms list --debug and btool props list --debug, the relevant results are below:
transforms.txt
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_branch_source_type_1]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf DEST_KEY = MetaData:Sourcetype
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = sourcetype::infoblox:dhcp
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = \sdhcpd\[
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_branch_source_type_2]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf DEST_KEY = MetaData:Sourcetype
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = sourcetype::infoblox:dns
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = \snamed\[
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_0]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\system\default\transforms.conf DEST_KEY =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = infoblox_ip::$1 pid::$2
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\sdhcpd\[(\d+)\]\:
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_1]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\system\default\transforms.conf DEST_KEY =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = dhcp_type::$1 src_mac::$2 src_hostname::$3 relay::$4 dhcp_discover_comment::$5
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = (DHCPDISCOVER)\sfrom\s([0-9a-zA-Z]{2}(?:\:[0-9a-zA-Z]{2}){5})\s(?:\(([^\)]+)\)\s)?via\s([^\:$]+)(?:\:\s([^$]+))?$
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_10]
props.txt
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf [infoblox:file]
c:\Program Files\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True
c:\Program Files\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true
c:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE =
c:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True
c:\Program Files\Splunk\etc\system\default\props.conf CHARSET = AUTO
c:\Program Files\Splunk\etc\system\default\props.conf DATETIME_CONFIG = \etc\datetime.xml
c:\Program Files\Splunk\etc\system\default\props.conf HEADER_MODE =
c:\Program Files\Splunk\etc\system\default\props.conf LEARN_MODEL = true
c:\Program Files\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true
c:\Program Files\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100
c:\Program Files\Splunk\etc\system\default\props.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_AGO = 2000
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800
c:\Program Files\Splunk\etc\system\default\props.conf MAX_EVENTS = 256
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 20
c:\Program Files\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER =
c:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER =
c:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE =
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION = indexing
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-all = full
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf SHOULD_LINEMERGE = false
c:\Program Files\Splunk\etc\system\default\props.conf TRANSFORMS =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf TRUNCATE = 0
Any help would be appreciated.
Can you paste your inputs.conf too and a log sample if possible?
In any case, see if the following answer helps: https://answers.splunk.com/answers/418075/splunk-add-on-for-infoblox-for-a-single-syslog-fil.html
Turns out this was a problem on my end. My infoblox is only sending out firewall entries, so no dhcp or dns log entries are being ingested. I think that's why this isn't working. I've looked in the transforms file and have created my own field extractions. Thanks anyways for your help.