topic Re: Infoblox DHCP log extraction in All Apps and Add-ons

Infoblox DHCP log extraction

sholmes — Mon, 28 Sep 2020 16:50:27 GMT

Hello,
How do you get the IP address from dhcpack from a log with the following format and the mac address?
<30>Jun 12 10:40:44 172.20.10.23 dhcpd[3360]: DHCPACK on 172.20.194.157 to 5c:f9:38:ad:fe:88 (Specht00-AIR) via eth2 relay 172.29.192.5 lease-duration 86400 (RENEW).

I tried this search
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "on\s(?\d+-\d+-\d+-\d+-)"

Re: Infoblox DHCP log extraction

kmscalf — Mon, 28 Sep 2020 16:50:30 GMT

Try this for IP

sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=on\s)\d{2,3}.\d{2,3}.\d{2,3}.\d{2,3})"

Re: Infoblox DHCP log extraction

richgalloway — Thu, 12 Jun 2014 15:00:08 GMT

This regex worked for me on RegExr using your sample event.

rex "on\s(?<ip>\d+\.\d+\.\d+\.\d+)"

Re: Infoblox DHCP log extraction

sholmes — Mon, 28 Sep 2020 16:50:42 GMT

This worked with below to generate a table of IP address.
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex "on\s(?\d+.\d+.\d+.\d+)" | table ip

Re: Infoblox DHCP log extraction

sholmes — Mon, 28 Sep 2020 16:50:44 GMT

worked to generate the information but now with other commands
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=ons)d{2,3}.d{2,3}.d{2,3}.d{2,3})" | table ip

Re: Infoblox DHCP log extraction

TonyLeeVT — Tue, 29 Sep 2020 08:56:59 GMT

The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end

Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes

TA is available here: https://splunkbase.splunk.com/app/2934/#/overview