Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to have a notable event search DHCP logs based on source in FW logs?

Stevensmith529
New Member
‎02-10-2017 03:51 PM

Hello

i have been trying to figure this out for days now.

i have logs coming in from multiple sources that only display IP address (src, dst, etc). what i would like to happen is that when a notable event fires, it searches the DHCP logs to tie a hostname to IP address at time of event. the logs are in separate indexes and i have tried join, transaction etc. i think a problem might be that in the events generating notables they are listed as src, src_ip, dst but in the DHCP logs they are shown as dest_ip. i need to map the dest (hostname) field to the ip field. sample below

index=IPS "cat=peer to peer" src=10.139.114.171

index=dhcp sourcetype=dhcpsrvlog dest_ip=10.139.114.171

is it possible to have the notable event spawn a subsearch to correlate this data?

0 Karma
Reply

starcher
Influencer
‎02-11-2017 04:01 AM

My recommendation is the common splunk pattern of lookup gen a time based lookup. Assign the lookup on the source type.

So make a search that runs in short intervals to update the time based lookup table.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Configureatime-boundedlookup

Then assign it as an auto lookup to the source type.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

0 Karma
Reply

Stevensmith529
New Member
‎02-13-2017 11:51 AM

thank you for the response. i had considered a lookup table, however this wouldn't allow for historical searches. i guess maybe a combination of both might work

0 Karma
Reply

starcher
Influencer
‎02-13-2017 11:56 AM

A time based lookup would allow for historical searches.

0 Karma
Reply

pradeepkumarg
Influencer
‎02-10-2017 11:36 PM

What have you tried so far? What was the outcome and what is the expected output? If I understand it correctly, you want to get the data from IPS index based on the dest_ips from dhcp index.. You can use the subsearch and rename the field in your search from des_ip to src to match the events. something like below

index=IPS "cat=peer to peer" src=10.139.114.171 | [search index=dhcp sourcetype=dhcpsrvlog dest_ip=10.139.114.171 | table dest_ip | rename dest_ip as src]

0 Karma
Reply

Stevensmith529
New Member
‎02-13-2017 12:06 PM

thank you for the response. i have tried several variations of what you have provided and it always provides zero results. i can get results with independent searches but as soon as i do a join i get nothing. im thinking it has something to do with the time differential. the IPS event happened 15 minutes ago, but the dhcp request was logged 4 hours ago?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...