Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Substitution/Mapping table of user to IP address for report?

tjharris
New Member
‎04-12-2018 05:10 PM

I have a few web application reports and they are great, except the log data only has the user's IP address, which I want to map to user names. I have good mapping data from my DHCP. But, I've been unable to find how I can use a data table to map the user name in for the IP address in my output table.

I'm using splunkcloud. Any pointers on how this can be done?

Tags (1)
0 Karma
Reply

Tim_1
Path Finder
‎04-16-2018 07:52 AM

You could use your DHCP as a static lookup, then join within the query using 'lookup' or 'inputlookup' command.
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/lookup

0 Karma
Reply

p_gurav
Champion
‎04-12-2018 10:40 PM

Can you provide some sample events from DHCP and user data?

0 Karma
Reply

tjharris
New Member
‎04-15-2018 12:38 AM

The DHCP data is not emitted into Splunk. It's just a static map of IP->User. I have it as an external CSV file, which I can import into Splunk if needed. My goal is then to use that mapping table of IP:User to swap out IP address for user names in my report table.

0 Karma
Reply

p_gurav
Champion
‎04-15-2018 09:22 PM

You can try uploading csv file as lookup and then map it with your report. This may help:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchTutorial/Usefieldlookups

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...