Splunk Enterprise Security

Infoblox Sourcetype Branch Failures

panovattack
Communicator

We are taking in infoblox logs via syslog and are getting inconsistent results. We have a clustered environment. The infoblox app is installed on a search head and the infoblox data is coming in via syslog on an indexer. On the indexer, the sourcetype is manually set to infoblox:file. The last several days, the branch to infoblox:dhcp and infoblox:dns worked perfectly. Over the last couple days we are now only seeing infoblox:file, as if the sourcetype branches are no longer working. On the search head, we've verified the sourcetypes and the transforms. I can't seem to figure out why this is occurring. Do we need to install the infblox app on the indexer as well? This breaks Splunk Common Information Model (CIM) compliance and by extension Splunk Enterprise Security. Any advice on troubleshooting?

Splunk Add-on for Infoblox Splunk_TA_infoblox 1.0.2

0 Karma
1 Solution

panovattack
Communicator

Resolved by pushing application to indexer.

View solution in original post

0 Karma

panovattack
Communicator

Resolved by pushing application to indexer.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Which Infoblox add-on are you using? The TA-infoblox or the Splunk Add-on for Infoblox? I just want to make sure your post is tagged correctly.

0 Karma

panovattack
Communicator

Good catch. Fixed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...