All Apps and Add-ons

Infoblox DHCP log extraction

sholmes
New Member

Hello,
How do you get the IP address from dhcpack from a log with the following format and the mac address?
<30>Jun 12 10:40:44 172.20.10.23 dhcpd[3360]: DHCPACK on 172.20.194.157 to 5c:f9:38:ad:fe:88 (Specht00-AIR) via eth2 relay 172.29.192.5 lease-duration 86400 (RENEW).

I tried this search
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "on\s(?\d+-\d+-\d+-\d+-)"

Tags (1)
0 Karma

TonyLeeVT
Builder

The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end

Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes

TA is available here: https://splunkbase.splunk.com/app/2934/#/overview

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex worked for me on RegExr using your sample event.

rex "on\s(?<ip>\d+\.\d+\.\d+\.\d+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma

sholmes
New Member

This worked with below to generate a table of IP address.
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex "on\s(?\d+.\d+.\d+.\d+)" | table ip

0 Karma

kmscalf
New Member

Try this for IP

sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=on\s)\d{2,3}.\d{2,3}.\d{2,3}.\d{2,3})"

0 Karma

sholmes
New Member

worked to generate the information but now with other commands
sourcetype=ipam_dhcpd eventtype=dhcpd_dhcpack | rex field=_raw "(?(?<=ons)d{2,3}.d{2,3}.d{2,3}.d{2,3})" | table ip

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...