All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Infoblox:file not converting to infoblox:dhcp or i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Infoblox:file not converting to infoblox:dhcp or infoblox:dns
manderson7
Contributor
01-27-2017
06:07 AM
Running this in my lab, I've installed the infoblox ta, and ingested a log file from our infoblox appliance. I assigned the infoblox:file sourcetype to the ingested data, but I'm not seeing any infoblox:dns or infoblox:dhcp sourcetypes. Running btool transforms list --debug and btool props list --debug, the relevant results are below:
transforms.txt
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_branch_source_type_1]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf DEST_KEY = MetaData:Sourcetype
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = sourcetype::infoblox:dhcp
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = \sdhcpd\[
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_branch_source_type_2]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf DEST_KEY = MetaData:Sourcetype
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = sourcetype::infoblox:dns
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = \snamed\[
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_0]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\system\default\transforms.conf DEST_KEY =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = infoblox_ip::$1 pid::$2
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\sdhcpd\[(\d+)\]\:
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_1]
c:\Program Files\Splunk\etc\system\default\transforms.conf CAN_OPTIMIZE = True
c:\Program Files\Splunk\etc\system\default\transforms.conf CLEAN_KEYS = True
c:\Program Files\Splunk\etc\system\default\transforms.conf DEFAULT_VALUE =
c:\Program Files\Splunk\etc\system\default\transforms.conf DEST_KEY =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf FORMAT = dhcp_type::$1 src_mac::$2 src_hostname::$3 relay::$4 dhcp_discover_comment::$5
c:\Program Files\Splunk\etc\system\default\transforms.conf KEEP_EMPTY_VALS = False
c:\Program Files\Splunk\etc\system\default\transforms.conf LOOKAHEAD = 4096
c:\Program Files\Splunk\etc\system\default\transforms.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\transforms.conf MV_ADD = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf REGEX = (DHCPDISCOVER)\sfrom\s([0-9a-zA-Z]{2}(?:\:[0-9a-zA-Z]{2}){5})\s(?:\(([^\)]+)\)\s)?via\s([^\:$]+)(?:\:\s([^$]+))?$
c:\Program Files\Splunk\etc\system\default\transforms.conf SOURCE_KEY = _raw
c:\Program Files\Splunk\etc\system\default\transforms.conf WRITE_META = False
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\transforms.conf [infoblox_dhcp_extract_field_10]
props.txt
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf [infoblox:file]
c:\Program Files\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True
c:\Program Files\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true
c:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE =
c:\Program Files\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True
c:\Program Files\Splunk\etc\system\default\props.conf CHARSET = AUTO
c:\Program Files\Splunk\etc\system\default\props.conf DATETIME_CONFIG = \etc\datetime.xml
c:\Program Files\Splunk\etc\system\default\props.conf HEADER_MODE =
c:\Program Files\Splunk\etc\system\default\props.conf LEARN_MODEL = true
c:\Program Files\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true
c:\Program Files\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100
c:\Program Files\Splunk\etc\system\default\props.conf MATCH_LIMIT = 100000
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_AGO = 2000
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600
c:\Program Files\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800
c:\Program Files\Splunk\etc\system\default\props.conf MAX_EVENTS = 256
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 20
c:\Program Files\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER =
c:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER =
c:\Program Files\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE =
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION = indexing
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-all = full
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none
c:\Program Files\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf SHOULD_LINEMERGE = false
c:\Program Files\Splunk\etc\system\default\props.conf TRANSFORMS =
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf TRANSFORMS-0_branch_source_type = infoblox_branch_source_type_1, infoblox_branch_source_type_2
c:\Program Files\Splunk\etc\apps\Splunk_TA_infoblox\default\props.conf TRUNCATE = 0
Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
01-27-2017
07:12 AM
Can you paste your inputs.conf too and a log sample if possible?
In any case, see if the following answer helps: https://answers.splunk.com/answers/418075/splunk-add-on-for-infoblox-for-a-single-syslog-fil.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manderson7
Contributor
01-27-2017
07:44 AM
Turns out this was a problem on my end. My infoblox is only sending out firewall entries, so no dhcp or dns log entries are being ingested. I think that's why this isn't working. I've looked in the transforms file and have created my own field extractions. Thanks anyways for your help.
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
