All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Infoblox DHCP log extraction

sholmes
New Member
‎06-12-2014 07:48 AM

Hello,
How do you get the IP address from dhcpack from a log with the following format and the mac address?
<30>Jun 12 10:40:44 172.20.10.23 dhcpd[3360]: DHCPACK on 172.20.194.157 to 5c:f9:38:ad:fe:88 (Specht00-AIR) via eth2 relay 172.29.192.5 lease-duration 86400 (RENEW).

I tried this search
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "on\s(?\d+-\d+-\d+-\d+-)"

Tags (1)
0 Karma
Reply

TonyLeeVT
Builder
‎02-29-2016 01:21 PM

The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end

Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes

TA is available here: https://splunkbase.splunk.com/app/2934/#/overview

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2014 08:00 AM

This regex worked for me on RegExr using your sample event.

rex "on\s(?<ip>\d+\.\d+\.\d+\.\d+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sholmes
New Member
‎06-12-2014 11:46 AM

This worked with below to generate a table of IP address.
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex "on\s(?\d+.\d+.\d+.\d+)" | table ip

0 Karma
Reply

kmscalf
New Member
‎06-12-2014 07:54 AM

Try this for IP

sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=on\s)\d{2,3}.\d{2,3}.\d{2,3}.\d{2,3})"

0 Karma
Reply

sholmes
New Member
‎06-12-2014 11:50 AM

worked to generate the information but now with other commands
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=ons)d{2,3}.d{2,3}.d{2,3}.d{2,3})" | table ip

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...