Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How does splunk react to dynamic assets?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my question.
List A has 150 hosts. Imported 3 weeks ago. Mostly static addresses, some dynamic
List B has 300 hosts. Imported 1 week ago. Some static, most dynamic
How does splunk handle the following:
1) If there is an asset in List A but not List B, does Splunk remove the asset or does it keep it?
2) If there is an updated DNS or IP address, does it create two entries for that specific assets?
-Specifically if there is a host with an updated dynamic IP address, does it keep both entries?
-If there is an old IP address in Splunk that is reused and now becomes a static IP address for a server, what DNS would Splunk show?
3) If there are assets in List A and List B, does it duplicate the asset entry?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk doesn't remove anything unless you tell it to. All 450 entries will be there. The ones from list A will have a different timestamp from list B.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk doesn't remove anything unless you tell it to. All 450 entries will be there. The ones from list A will have a different timestamp from list B.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So when I run a search string for a DNS host that had an IP address change from list A to B, it would show both addresses in the log, just a different time stamp?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, that helps me a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome.
(Friendly tip: Next time, you should consider accepting the actual answer rather than your own followup question.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(You should add comments rather than new answers when asking followups to answers.)
Yes, that's exactly what would happen, you'd get a history of each host's IP address.
If that's not what you want, and you only want the most current host IP address to show up in your searches, you might consider writing your list out as a CSV file, overwriting it each time you generate it, and then use lookup to refer to it from Splunk. This will explain more fully what I'm talking about: http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addfieldsfromexternaldatasources
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
