All Apps and Add-ons

Infoblox DHCP log extraction

sholmes
New Member

Hello,
How do you get the IP address from dhcpack from a log with the following format and the mac address?
<30>Jun 12 10:40:44 172.20.10.23 dhcpd[3360]: DHCPACK on 172.20.194.157 to 5c:f9:38:ad:fe:88 (Specht00-AIR) via eth2 relay 172.29.192.5 lease-duration 86400 (RENEW).

I tried this search
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "on\s(?\d+-\d+-\d+-\d+-)"

Tags (1)
0 Karma

TonyLeeVT
Builder

The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end

Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes

TA is available here: https://splunkbase.splunk.com/app/2934/#/overview

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex worked for me on RegExr using your sample event.

rex "on\s(?<ip>\d+\.\d+\.\d+\.\d+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma

sholmes
New Member

This worked with below to generate a table of IP address.
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex "on\s(?\d+.\d+.\d+.\d+)" | table ip

0 Karma

kmscalf
New Member

Try this for IP

sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=on\s)\d{2,3}.\d{2,3}.\d{2,3}.\d{2,3})"

0 Karma

sholmes
New Member

worked to generate the information but now with other commands
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=ons)d{2,3}.d{2,3}.d{2,3}.d{2,3})" | table ip

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...