https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547036#M155079 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/147711">@jonaclough</a>&nbsp;<BR /><BR />I think the best way is create a identity and asset lookup table to manage better the logs flow.</P><P>Please check how works lookup table:</P><P><A href="https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup" target="_blank">https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup</A></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Apr 2021 13:49:35 GMT aasabatini 2021-04-07T13:49:35Z https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547034#M155078 <DIV class="lia-quilt-row lia-quilt-row-message-subject"><DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-subject-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"><DIV class="topic-subject-wrapper"><DIV class="lia-message-subject lia-component-message-view-widget-subject"><DIV class="MessageSubject">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV><DIV class="lia-quilt-row lia-quilt-row-message-author"><DIV class="lia-quilt-column lia-quilt-column-20 lia-quilt-column-left lia-quilt-column-message-author-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-left"><DIV class="lia-message-author-avatar lia-component-author-avatar lia-component-message-view-widget-author-avatar"><DIV class="UserAvatar lia-user-avatar lia-component-common-widget-user-avatar">&nbsp;</DIV></DIV><DIV class="lia-message-author-with-avatar">&nbsp;</DIV></DIV></DIV></DIV><DIV class="lia-quilt-row lia-quilt-row-message-body"><DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-body-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>We need to add users to our (unauthenticated) internal proxy logs. Currently the proxy logs only identity the initiator by IP address.</P><P>We have DHCP and/or windows desktop logs to link the IP to a hostname. We have windows logon events which contain the hostname and user fields. Multiple users are able to log onto certain hosts and indeed might be logged on at the same time (using fast user switching).</P><P>Has anyone any advice on how to solve this problem at scale (30 million events/hour)</P></DIV></DIV></DIV></DIV></DIV> Wed, 07 Apr 2021 13:23:28 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547034#M155078 jonaclough 2021-04-07T13:23:28Z https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547036#M155079 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/147711">@jonaclough</a>&nbsp;<BR /><BR />I think the best way is create a identity and asset lookup table to manage better the logs flow.</P><P>Please check how works lookup table:</P><P><A href="https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup" target="_blank">https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup</A></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Apr 2021 13:49:35 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547036#M155079 aasabatini 2021-04-07T13:49:35Z https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547056#M155082 <P>That's a link to DSP which is not relevant.&nbsp;Identity and Asset lookups are not going to work either as users do not own hosts.&nbsp;</P><P>I'm not sure if you are trying to grab Karma for your own purposes but your response is in no way relevant or helpful.</P> Wed, 07 Apr 2021 15:05:30 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547056#M155082 jonaclough 2021-04-07T15:05:30Z https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547058#M155083 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/147711">@jonaclough</a>&nbsp;</P><P>sorry if my solution doesn't work for you or isn't relevant,however I did not like your controversial comment.<BR />I tried to help, if my help doesn''t works please try to explain better.</P><P>how many sources are involved?</P><P>why Identity lookup doesn't works to with users and associated IP?</P><P><BR />maybe your enviroment have many record in your lookup you can think to migrate to kvstore</P><P>Please let me know&nbsp;I am a splunk enthusiast I don't need karma for my&nbsp;<SPAN>purposes&nbsp;</SPAN></P> Wed, 07 Apr 2021 15:30:11 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/547058#M155083 aasabatini 2021-04-07T15:30:11Z https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/548802#M155700 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222210">@aasabatini</a>&nbsp;</P><P>I have no doubt you are an enthusiast (what's not to love about splunk?! <span class="lia-unicode-emoji" title=":grinning_face:">😀</span>), but it is curious that there are a number of accounts whose sole purpose seems to be to keep you in the top 4 karma authors. Just sayin'</P> Wed, 21 Apr 2021 14:37:53 GMT https://community.splunk.com/t5/Splunk-Search/Identifying-user-based-on-IP-Address-Hostname/m-p/548802#M155700 ITWhisperer 2021-04-21T14:37:53Z