Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Infoblox:file not converting to infoblox:dhcp or i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Infoblox:file not converting to infoblox:dhcp or infoblox:dns
manderson7
Contributor
01-27-2017
06:07 AM
Running this in my lab, I've installed the infoblox ta, and ingested a log file from our infoblox appliance. I assigned the infoblox:file sourcetype to the ingested data, but I'm not seeing any infoblox:dns or infoblox:dhcp sourcetypes. Running btool transforms list --debug and btool props list --debug, the relevant results are below:
transforms.txt
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_branch_source_type_1]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf DEST_KEY = MetaData:Sourcetype
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = sourcetype::infoblox:dhcp
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = \sdhcpd\[
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_branch_source_type_2]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf DEST_KEY = MetaData:Sourcetype
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = sourcetype::infoblox:dns
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = \snamed\[
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_0]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\system\default\transforms.conf DEST_KEY =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = infoblox_ip::$1 pid::$2
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\sdhcpd\[(\d+)\]\:
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_1]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\system\default\transforms.conf DEST_KEY =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = dhcp_type::$1 src_mac::$2 src_hostname::$3 relay::$4 dhcp_discover_comment::$5
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = (DHCPDISCOVER)\sfrom\s([0-9a-zA-Z]{2}(?:\:[0-9a-zA-Z]{2}){5})\s(?:\(([^\)]+)\)\s)?via\s([^\:$]+)(?:\:\s([^$]+))?$
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_10]
props.txt
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf [infoblox:file]
c:\Program Files\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True
c:\Program Files\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true
c:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE =
c:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True
c:\Program Files\Splunk\etc\system\default\props.conf CHARSET = AUTO
c:\Program Files\Splunk\etc\system\default\props.conf DATETIME_CONFIG = \etc\datetime.xml
c:\Program Files\Splunk\etc\system\default\props.conf HEADER_MODE =
c:\Program Files\Splunk\etc\system\default\props.conf LEARN_MODEL = true
c:\Program Files\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true
c:\Program Files\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100
c:\Program Files\Splunk\etc\system\default\props.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_AGO = 2000
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800
c:\Program Files\Splunk\etc\system\default\props.conf MAX_EVENTS = 256
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 20
c:\Program Files\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER =
c:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER =
c:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE =
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION = indexing
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-all = full
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf SHOULD_LINEMERGE = false
c:\Program Files\Splunk\etc\system\default\props.conf TRANSFORMS =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf TRUNCATE = 0
Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
01-27-2017
07:12 AM
Can you paste your inputs.conf too and a log sample if possible?
In any case, see if the following answer helps: https://answers.splunk.com/answers/418075/splunk-add-on-for-infoblox-for-a-single-syslog-fil.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manderson7
Contributor
01-27-2017
07:44 AM
Turns out this was a problem on my end. My infoblox is only sending out firewall entries, so no dhcp or dns log entries are being ingested. I think that's why this isn't working. I've looked in the transforms file and have created my own field extractions. Thanks anyways for your help.
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
