Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Identifying user based on IP Address/ Hostname

jonaclough
Path Finder
‎04-07-2021 06:23 AM
 
 
 

We need to add users to our (unauthenticated) internal proxy logs. Currently the proxy logs only identity the initiator by IP address.

We have DHCP and/or windows desktop logs to link the IP to a hostname. We have windows logon events which contain the hostname and user fields. Multiple users are able to log onto certain hosts and indeed might be logged on at the same time (using fast user switching).

Has anyone any advice on how to solve this problem at scale (30 million events/hour)

Labels (1)
Labels
0 Karma
Reply

aasabatini
Motivator
‎04-07-2021 06:49 AM

Hi @jonaclough 

I think the best way is create a identity and asset lookup table to manage better the logs flow.

Please check how works lookup table:

https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

jonaclough
Path Finder
‎04-07-2021 08:05 AM

That's a link to DSP which is not relevant. Identity and Asset lookups are not going to work either as users do not own hosts. 

I'm not sure if you are trying to grab Karma for your own purposes but your response is in no way relevant or helpful.

Reply

aasabatini
Motivator
‎04-07-2021 08:17 AM

Hi @jonaclough 

sorry if my solution doesn't work for you or isn't relevant,however I did not like your controversial comment.
I tried to help, if my help doesn''t works please try to explain better.

how many sources are involved?

why Identity lookup doesn't works to with users and associated IP?


maybe your enviroment have many record in your lookup you can think to migrate to kvstore

Please let me know I am a splunk enthusiast I don't need karma for my purposes 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-21-2021 07:37 AM

Hi @aasabatini 

I have no doubt you are an enthusiast (what's not to love about splunk?! 😀), but it is curious that there are a number of accounts whose sole purpose seems to be to keep you in the top 4 karma authors. Just sayin'

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...