cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cposey13
Loves-to-Learn Lots
Member since: ‎04-09-2013
‎03-04-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-09-2013
Activity Feed
Topics I've Started
View All

Re: DHCP Field Extractions

by in All Apps and Add-ons
‎02-18-2020 09:23 AM
‎02-18-2020 09:23 AM
Thank you for your help in guiding me through these troubleshooting steps. I verified that fixing the permissions issue with tag sharing resolved my problem. ... View more

Re: DHCP Field Extractions

by in All Apps and Add-ons
‎02-15-2020 11:29 AM
‎02-15-2020 11:29 AM
Yes, I do get results when searching for the CIM fields, index=dhcp dest_ip=* OR dest_mac=* . I checked permissions for the TA under Settings > Fields > Field Extractions > Permissions. For "dhcp : REPORT-dhcplog" the object appears in "All apps" and "Everyone" has "Read" access. Are tags supposed to be shared globally as well? I noticed they are set for the app only. ... View more

Re: DHCP Field Extractions

by in All Apps and Add-ons
‎02-14-2020 12:17 PM
‎02-14-2020 12:17 PM
I think all of them? I have an app that relies on DHCP events to be CIM compliant and it gives this error. "We were unable to find any CIM compliant data indexed within the last 7 days. Please configure a suitable Technical Addon (TA) for your data format and ensure that live data is indexed." I used this app (https://splunkbase.splunk.com/app/2968) to check for CIM compliance and it doesn't find any CIM compliant DHCP data. ... View more

DHCP Field Extractions

by in All Apps and Add-ons
‎02-14-2020 11:03 AM
‎02-14-2020 11:03 AM
I installed the Microsoft Windows DHCP addon for Splunk to my search heads and am successfully indexing DHCP events, but the data doesn't seem to be CIM compliant per the CIM Validator app. Here are my configs. inputs.conf on the forwarder [monitor://C:\dhcplogs] sourcetype = dhcp crcSalt = <SOURCE> alwaysOpenFile = 1 disabled = false whitelist = DhcpSrvLog* index=dhcp eventtypes.conf on the search head [dhcp] search = index=dhcp sourcetype=dhcp [dhcp_start] search = index=dhcp sourcetype=dhcp (id=10 OR id=11 OR id=13) [dhcp_stop] search = index=dhcp sourcetype=dhcp (id=12 OR id=16 OR id=17) props.conf on the search head [dhcp] TRANSFORMS-dhcp_strip_headers = dhcp_strip_headers REPORT-dhcplog = REPORT-dhcplog LOOKUP-dhcp_id = dhcp_id id OUTPUTNEW level signature action LOOKUP-quarantine = quarantine_result qresult OUTPUTNEW quarantine_info FIELDALIAS-dhcp_cim = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))) EVAL-dest = coalesce(nt_host, ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":")))) tags.conf on the search head [eventtype=dhcp] dhcp = enabled network = enabled session = enabled windows = enabled [eventtype=dhcp_start] start = enabled [eventtype=dhcp_stop] stop = enabled transforms.conf on the search head [dhcp_id] batch_index_query = 0 case_sensitive_match = 0 filename = dhcp_ids.csv max_matches = 1 [dhcp_strip_headers] REGEX = ^(?:ID|#) DEST_KEY = queue FORMAT = nullQueue [REPORT-dhcplog] DELIMS = "," FIELDS = "id","date","time","description","ip","nt_host","mac","user","transaction_id","qresult","probation_time","correlation_id","dhcid","vendorclass_hex","vendor_ascii","userclass_hex","userclass_ascii","relay_agent","dns_reg_error" [quarantine_result] batch_index_query = 0 case_sensitive_match = 1 filename = dhcp_quarantine.csv max_matches = 1 Thanks for any input. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2021 09:47 PM