Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating Assets csv file correlating logs from dhcp and Cisco ISE

SourabhKhampari
Engager
‎05-13-2019 05:40 AM

We are creating assets inventory using different logs in Splunk.
For this purpose, we first created list of “nt_host” and “owner” using Cisco ISE:
index=iseindex….. |table nt_host owner” | dedup nt_host | outputlookup ise_hosts.csv
We are getting proper expecterd ise_hosts csv file as below.
nt_host owner
ASSET-1 USER1
ASSET2 USER2
ASSET3 USER3

We now use this csv file to get owner information in dhcp logs as below:

index=dhcpindex .... |lookup ise_hosts nt_host output owner | table nt_host ip owner | dedup nt_host | outputlookup final.csv

But we are getting the same owner multiple times as attached. Please assist.alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...