All Apps and Add-ons

DHCP Field Extractions

cposey13
Loves-to-Learn Lots

I installed the Microsoft Windows DHCP addon for Splunk to my search heads and am successfully indexing DHCP events, but the data doesn't seem to be CIM compliant per the CIM Validator app.

Here are my configs.

inputs.conf on the forwarder

[monitor://C:\dhcplogs]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = DhcpSrvLog*
index=dhcp

eventtypes.conf on the search head

[dhcp]
search = index=dhcp sourcetype=dhcp
[dhcp_start]
search = index=dhcp sourcetype=dhcp (id=10 OR id=11 OR id=13)
[dhcp_stop]
search = index=dhcp sourcetype=dhcp (id=12 OR id=16 OR id=17)

props.conf on the search head

[dhcp]
TRANSFORMS-dhcp_strip_headers = dhcp_strip_headers
REPORT-dhcplog = REPORT-dhcplog
LOOKUP-dhcp_id = dhcp_id id OUTPUTNEW level signature action
LOOKUP-quarantine = quarantine_result qresult OUTPUTNEW quarantine_info
FIELDALIAS-dhcp_cim = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host
EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":")))
EVAL-dest = coalesce(nt_host, ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))))

tags.conf on the search head

[eventtype=dhcp]
dhcp = enabled
network = enabled
session = enabled
windows = enabled

[eventtype=dhcp_start]
start = enabled

[eventtype=dhcp_stop]
stop = enabled

transforms.conf on the search head

[dhcp_id]
batch_index_query = 0
case_sensitive_match = 0
filename = dhcp_ids.csv
max_matches = 1

[dhcp_strip_headers]
REGEX = ^(?:ID|#)
DEST_KEY = queue
FORMAT = nullQueue

[REPORT-dhcplog]
DELIMS = ","
FIELDS = "id","date","time","description","ip","nt_host","mac","user","transaction_id","qresult","probation_time","correlation_id","dhcid","vendorclass_hex","vendor_ascii","userclass_hex","userclass_ascii","relay_agent","dns_reg_error"

[quarantine_result]
batch_index_query = 0
case_sensitive_match = 1
filename = dhcp_quarantine.csv
max_matches = 1

Thanks for any input.

0 Karma
1 Solution

nickhills
Ultra Champion

Yes. Tags should be shared too. That could be the issue.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Yes. Tags should be shared too. That could be the issue.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

cposey13
Loves-to-Learn Lots

Thank you for your help in guiding me through these troubleshooting steps. I verified that fixing the permissions issue with tag sharing resolved my problem.

0 Karma

nickhills
Ultra Champion

I just updated the app on Splunkbase https://splunkbase.splunk.com/app/4359/
Confirmed compatibility with 8.x and 7.x and fixed the tag sharing.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Hi, what fields specifically are you having issues with?

If my comment helps, please give it a thumbs up!
0 Karma

cposey13
Loves-to-Learn Lots

I think all of them?

I have an app that relies on DHCP events to be CIM compliant and it gives this error.

"We were unable to find any CIM compliant data indexed within the last 7 days. Please configure a suitable Technical Addon (TA) for your data format and ensure that live data is indexed."

I used this app (https://splunkbase.splunk.com/app/2968) to check for CIM compliance and it doesn't find any CIM compliant DHCP data.

0 Karma

nickhills
Ultra Champion

Do the CIM fields show up in search? i.e Do you get results for index=dhcp dest_ip=* OR dest_mac=*
Is the TA and its extractions shared globally?

If my comment helps, please give it a thumbs up!
0 Karma

cposey13
Loves-to-Learn Lots

Yes, I do get results when searching for the CIM fields,

index=dhcp dest_ip=* OR dest_mac=*

.

I checked permissions for the TA under Settings > Fields > Field Extractions > Permissions. For "dhcp : REPORT-dhcplog" the object appears in "All apps" and "Everyone" has "Read" access.

Are tags supposed to be shared globally as well? I noticed they are set for the app only.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!