Getting Data In

Can I take one IP with two different sets of logs (DNS and DHCP) and import that into two different sourcetypes?

aaron_schmuhl
Engager

So, here's my admittedly dumb situation. I have an IPAM appliance(s) that does both DNS and DHCP. The output port for the logs isn't configurable according to the admin, so we're stuck with udp/514. Normally, getting two different IPs into the same port and differentiating traffic is pretty straightforward... but that's not what I have.

Can I somehow take one IP (say 192.168.1.1) with two different set of logs (DNS and DHCP) and somehow import that into two different sourcetypes? Can I determine sourcetype with a regex somehow?

Tags (4)
0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

In props.conf (assuming the current sourcetype is udp:514)

[udp:514]
TRANSFORMS-set_sourcetype_ipam = ipam_sourcetype_dns, ipam_sourcetype_dhcp

In transforms.conf

[ipam_sourcetype_dns]
REGEX = <regex for dns event>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ipam:dns

[ipam_sourcetype_dhcp]
REGEX = <regex for dhcp>
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ipam:dhcp

You will need to develop your own regexes for the two event types, and put that in the transforms.conf file, and then all future events will be sourcetype'd appropriately.

0 Karma

bmacias84
Champion

It possible using a transform and props conf. You will have to come up with a regex that will capture the event when a match occurs you will overwrite the meta field for sourcetype. This can be done on a heavy forwarder or indexer.

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...