After going through all the different posts about Infoblox, DHCP, I thought that I had it, but I can't seem to get it to work properly. I installed the posix DHCP tool and updated all the Regex statements to deal with the Infoblox syslog changes. The regex should be working but while I can see all my events show up as dhcpd_events, when I search for any fields (ie dhcp_message), I get nothing.

I'm kind of new to Splunk so I'm sure that I'm missing something. Hopefully somebody can point me in the right direction.

Some examples of the Syslogs that I am getting:

Apr 15 20:01:00 10.1.140.216 dhcpd[15805]: DHCPINFORM from 10.10.237.42 via 10.10.236.3
Apr 15 20:01:00 10.1.140.216 dhcpd[15805]: DHCPACK to 10.10.237.42 (f8:bc:12:d5:0e:19) via eth1
Apr 16 02:55:26 10.1.140.216 dhcpd[15805]: DHCPREQUEST for 10.11.23.114 from 00:1e:4a:92:02:30 (SEP001E4A920230) via 10.11.22.1 uid 01:00:1e:4a:92:02:30 (RENEW)

Transforms.conf (backslashes are being stripped to I have replaced them with ' )

[dhcpinform]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPINFORM)'sfrom's('S+)'svia's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 dest_int::$4

[dhcpack_type2]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPACK)'sto's('S+)'s(?:'(([^')]+)')'s)?via's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_mac::$4 dest_int::$5

[dhcprequest]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPREQUEST)'sfor's('S+)'s(?:'(([^')]+)')'s)?from's('S+)'s(?:'(([^')]+)')'s)?via's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_nat_ip::$4 src_mac::$5 src_host::$6 dest_int::$7