We need to add users to our (unauthenticated) internal proxy logs. Currently the proxy logs only identity the initiator by IP address.
We have DHCP and/or windows desktop logs to link the IP to a hostname. We have windows logon events which contain the hostname and user fields. Multiple users are able to log onto certain hosts and indeed might be logged on at the same time (using fast user switching).
Has anyone any advice on how to solve this problem at scale (30 million events/hour)
Hi @jonaclough
I think the best way is create a identity and asset lookup table to manage better the logs flow.
Please check how works lookup table:
https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup
That's a link to DSP which is not relevant. Identity and Asset lookups are not going to work either as users do not own hosts.
I'm not sure if you are trying to grab Karma for your own purposes but your response is in no way relevant or helpful.
Hi @jonaclough
sorry if my solution doesn't work for you or isn't relevant,however I did not like your controversial comment.
I tried to help, if my help doesn''t works please try to explain better.
how many sources are involved?
why Identity lookup doesn't works to with users and associated IP?
maybe your enviroment have many record in your lookup you can think to migrate to kvstore
Please let me know I am a splunk enthusiast I don't need karma for my purposes
Hi @aasabatini
I have no doubt you are an enthusiast (what's not to love about splunk?! 😀), but it is curious that there are a number of accounts whose sole purpose seems to be to keep you in the top 4 karma authors. Just sayin'