All Apps and Add-ons

Splunk Add-on for Infoblox: Why is the src_ip field missing?

New Member

I've installed the Splunk Add-on for Infoblox to the search head, index, and universal forwarder in one of our environments. Just playing around with the data it provides I decided to look at the built-in panels. One is a simple search for the top 10 source IPs over the last 24 hours:

index=test sourcetype="infoblox:dns"  earliest=-1d  client |top 10 src_ip|table src_ip count |rename src_ip AS "Client IP" count AS "Requests"

Problem is that "src_ip" isn't a field in the data. It seems that it should be replaced with "dns_request_client_ip". We're not using Infoblox for DHCP but I see that this add-on does have a transform, I believe, for that sourcetype, infoblox:dhcp...just never makes it to infoblox:dns?

I believe this add-on may eventually tie into an implementation of the security app - I don't want change it much for that reason, and I'm thinking the built-in panel should work?

0 Karma

Splunk Employee
Splunk Employee

In this add-on, the events which contains text 'dhcpd' are included in sourcetype 'infoblox:dhcp', while the events contains 'named' are treated as 'infoblox:dns'. In our sample data, field 'src_ip' is extracted from the events.
To further dig into your question, could you provide some sample data?
Thanks

0 Karma

Communicator

We're seeing events where "client" has IPV6 address not getting extracted. For example, the following does not get extracted correctly -- while events with IPV4 addresses are getting extracted correctly:

2019-07-31T16:00:15+00:00 dns1.illinois.edu named[23473]: client 2001:558:fe04:a:69:252:244:142#53661 (xxxx.ad.uillinois.edu): query 'xxxx.ad.uillinois.edu/A/IN' denied

I see some add-ons have specifically addressed IPV6:
https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Extractions

Does Infoblox add-on need this done too?

0 Karma