Archive
Highlighted

Infoblox DHCP Fingerprinting

New Member

Looking at the Dashboard for Top Device Classes, I tried modifying the Fingerprint panel and changed it to multiselect from dropdown, however, the results returned are from only one Fingerprint choice. I am not able to choose more than one Fingerprint. I need to be able to specify multiple Fingerprint choices and return results on those multiple Fingerprint.

Tags (1)
0 Karma
Highlighted

Re: Infoblox DHCP Fingerprinting

SplunkTrust
SplunkTrust

You have a few changes to make. First, go back to your newly modified Multiselect. The overview is that in the "Token Options" section, you need to tell it how to build the portion of the search string you need, then in the search you'll need to tell it to use that token.

In my sample case (tossed together from some firewall information), I used a multiselect drop down to pick my "OUT" interface. This is ONLY an example, give more specifics and we can probably help more, but hopefully this will be enough.

So, first, the search I need the dashboard panel to run should look something like the below. You may want to open the search for that panel in Search and figure out what you actually need here, or maybe you already know well enough.

index=myindex sourcetype=mysourcetype OUT=X OR OUT=Y OR OUT=Z | blah blah.

So for my Token Options, I have

Token : out_tok (just a naming convention I learned for tokens ages ago).

Token Value Prefix : OUT=
Delimiter : OR
(Note, there is a space both before and after that " OR ")

If you watch the little "preview" section below the delimiter as you do this, you'll see it show you an example like OUT=value1 OR OUT=value2 OR ... and since that's exactly what I want to see, we're good here.

A note: you probably won't have to change the Dynamics Options Search String here (farther down the multiselect's properties), but you MAY want to run it in Search (there's a link right below it) to see what it actually outputs.

Now, on to the changes to the dashboard panel.

Click the Edit button for the search (Magnifying glass) and "Edit Search". You need to now wedge your token (which again will end up like "OUT=X OR OUT=Y") into your search, preferably the base search but that may take fiddling to figure out where's best. So in my case, I had

index=myindex sourcetype=mysourcetype | eval source_isLocal=....<big long nasty thing here>

So I modified it to

index=myindex sourcetype=mysourcetype $out_tok$ | eval ....<big long nasty thing here>

After that I saved the dashboard, then REFRESHED THE PAGE WITH F5. This isn't ALWAYS necessary, but can often be.

Then my drop down showed the two interfaces, each of which I could select, and which then filtered my dashboard panel.

Here's the doc for multiple value selections, There are links in there for each option type and how to put things together. A little searching or digging will turn up a lot more, including several Splunk education courses that will help too.

0 Karma
Highlighted

Re: Infoblox DHCP Fingerprinting

New Member

Thank you very much for your feedback. So this what I'm running into. If I manually run a search, I have no problems, I can enter multiple values for my search and get my desired results. However, in the dashboard, if I make multiple choices in the multiselect panel, my only results are for my first choice and any other added choices are ignored. Here are my Token Options for the multiselect panel:
Token: fingerprint
Default: blank
Initial Value: blank
Token Prefix: blank
Token Suffix: blank
Token Value Prefix: (FINGER
PRINT=="
Token Value Suffix: ")
Delimiter: OR
Preview: (FINGERPRINT=="value1") OR (FINGERPRINT=="value2") OR ...

The syntax in the preview is correct and works during a manual search.

0 Karma
Highlighted

Re: Infoblox DHCP Fingerprinting

SplunkTrust
SplunkTrust

Can you paste the entire search from the panel that doesn't work? Please be sure to format the code using the "Code Sample" button (the 101010 button) so that the formatting doesn't get lost?

0 Karma
Highlighted

Re: Infoblox DHCP Fingerprinting

Splunk Employee
Splunk Employee

@sdeforke - Are you using the Splunk Add-on for Infoblox? I just want to make sure your post is tagged appropriately. Thanks!

0 Karma