- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to have a notable event search DHCP logs based...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to have a notable event search DHCP logs based on source in FW logs?
Hello
i have been trying to figure this out for days now.
i have logs coming in from multiple sources that only display IP address (src, dst, etc). what i would like to happen is that when a notable event fires, it searches the DHCP logs to tie a hostname to IP address at time of event. the logs are in separate indexes and i have tried join, transaction etc. i think a problem might be that in the events generating notables they are listed as src, src_ip, dst but in the DHCP logs they are shown as dest_ip. i need to map the dest (hostname) field to the ip field. sample below
index=IPS "cat=peer to peer" src=10.139.114.171
index=dhcp sourcetype=dhcpsrvlog dest_ip=10.139.114.171
is it possible to have the notable event spawn a subsearch to correlate this data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My recommendation is the common splunk pattern of lookup gen a time based lookup. Assign the lookup on the source type.
So make a search that runs in short intervals to update the time based lookup table.
https://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Configureatime-boundedlookup
Then assign it as an auto lookup to the source type.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for the response. i had considered a lookup table, however this wouldn't allow for historical searches. i guess maybe a combination of both might work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A time based lookup would allow for historical searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What have you tried so far? What was the outcome and what is the expected output? If I understand it correctly, you want to get the data from IPS index based on the dest_ips from dhcp index.. You can use the subsearch and rename the field in your search from des_ip to src to match the events. something like below
index=IPS "cat=peer to peer" src=10.139.114.171 | [search index=dhcp sourcetype=dhcpsrvlog dest_ip=10.139.114.171 | table dest_ip | rename dest_ip as src]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for the response. i have tried several variations of what you have provided and it always provides zero results. i can get results with independent searches but as soon as i do a join i get nothing. im thinking it has something to do with the time differential. the IPS event happened 15 minutes ago, but the dhcp request was logged 4 hours ago?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
