Hello
i have been trying to figure this out for days now.
i have logs coming in from multiple sources that only display IP address (src, dst, etc). what i would like to happen is that when a notable event fires, it searches the DHCP logs to tie a hostname to IP address at time of event. the logs are in separate indexes and i have tried join, transaction etc. i think a problem might be that in the events generating notables they are listed as src, src_ip, dst but in the DHCP logs they are shown as dest_ip. i need to map the dest (hostname) field to the ip field. sample below
index=IPS "cat=peer to peer" src=10.139.114.171
index=dhcp sourcetype=dhcpsrvlog dest_ip=10.139.114.171
is it possible to have the notable event spawn a subsearch to correlate this data?
My recommendation is the common splunk pattern of lookup gen a time based lookup. Assign the lookup on the source type.
So make a search that runs in short intervals to update the time based lookup table.
https://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Configureatime-boundedlookup
Then assign it as an auto lookup to the source type.
thank you for the response. i had considered a lookup table, however this wouldn't allow for historical searches. i guess maybe a combination of both might work
A time based lookup would allow for historical searches.
What have you tried so far? What was the outcome and what is the expected output? If I understand it correctly, you want to get the data from IPS index based on the dest_ips from dhcp index.. You can use the subsearch and rename the field in your search from des_ip to src to match the events. something like below
index=IPS "cat=peer to peer" src=10.139.114.171 | [search index=dhcp sourcetype=dhcpsrvlog dest_ip=10.139.114.171 | table dest_ip | rename dest_ip as src]
thank you for the response. i have tried several variations of what you have provided and it always provides zero results. i can get results with independent searches but as soon as i do a join i get nothing. im thinking it has something to do with the time differential. the IPS event happened 15 minutes ago, but the dhcp request was logged 4 hours ago?