We have installed and configured the Splunk App for Windows Infrastructure (v1.4.2) which includes inputs.conf and props.conf for Windows DHCP log files.
[monitor://$WINDIR\System32\DHCP] disabled = 0 whitelist = DhcpSrvLog* crcSalt = <SOURCE> sourcetype = DhcpSrvLog index = windows
[source::....DhcpSrvLog] sourcetype = DhcpSrvLog [source::...\\(DhcpSrvLog-)...] sourcetype = DhcpSrvLog [DhcpSrvLog] SHOULD_LINEMERGE = false TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp REPORT-dest_for_microsoft_dhcp = dest_nt_host_as_dest,dest_mac_as_dest,dest_ip_as_dest
LOOKUP-signatureformicrosoftdhcp = msdhcpsignaturelookup msdhcpid OUTPUTNEW signature
LOOKUP-vendorinfoformicrosoftdhcp = windowsvendorinfo_lookup sourcetype OUTPUT vendor,product
We have also installed the Splunk Common Information Model (v4.9.1). From the Splunk documentation "The Splunk Add-on for Windows provides Common Information Model information, the index-time and search-time knowledge for Windows events, metadata, user and group information, collaboration data, and tasks in the following formats.”
I am expecting DHCP data to be tagged with tag=dhcp and a field named signature extracted. We are getting DHCP events, but no tagging and no field extraction. Currently running Splunk Enterprise v7.0
What are we missing?
You are indexing your data in index=windows, instead of deafult index.
You need to update the eventtypes stanza. Can you add following configuration in $SPLUNKHOME/etc/apps/SplunkTA_windows/local/eventtypes.conf
[DhcpSrvLog] search = index=windows sourcetype=DhcpSrvLog #tags = dhcp network session windows
For signature field, do you have msdhcpid field in your msdhcpsignature_lookup file ?
In case you are checking this on clustered environment, you need to ensure that props.conf configurations are presents on Search head.
Thanks. I very much appreciate the fast response. We are looking at the proposed changes now.
I am curious though, if anyone knows why changes would be needed to the default Windows TA conf files to make this work?