Splunk Search

Identifying user based on IP Address/ Hostname

jonaclough
Explorer
 
 
 

We need to add users to our (unauthenticated) internal proxy logs. Currently the proxy logs only identity the initiator by IP address.

We have DHCP and/or windows desktop logs to link the IP to a hostname. We have windows logon events which contain the hostname and user fields. Multiple users are able to log onto certain hosts and indeed might be logged on at the same time (using fast user switching).

Has anyone any advice on how to solve this problem at scale (30 million events/hour)

Labels (1)
0 Karma

aasabatini
Communicator

Hi @jonaclough 

I think the best way is create a identity and asset lookup table to manage better the logs flow.

Please check how works lookup table:

https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup

 

 

0 Karma

jonaclough
Explorer

That's a link to DSP which is not relevant. Identity and Asset lookups are not going to work either as users do not own hosts. 

I'm not sure if you are trying to grab Karma for your own purposes but your response is in no way relevant or helpful.

aasabatini
Communicator

Hi @jonaclough 

sorry if my solution doesn't work for you or isn't relevant,however I did not like your controversial comment.
I tried to help, if my help doesn''t works please try to explain better.

how many sources are involved?

why Identity lookup doesn't works to with users and associated IP?


maybe your enviroment have many record in your lookup you can think to migrate to kvstore

Please let me know I am a splunk enthusiast I don't need karma for my purposes 

0 Karma