Splunk Search

Identifying user based on IP Address/ Hostname

jonaclough
Path Finder
 
 
 

We need to add users to our (unauthenticated) internal proxy logs. Currently the proxy logs only identity the initiator by IP address.

We have DHCP and/or windows desktop logs to link the IP to a hostname. We have windows logon events which contain the hostname and user fields. Multiple users are able to log onto certain hosts and indeed might be logged on at the same time (using fast user switching).

Has anyone any advice on how to solve this problem at scale (30 million events/hour)

Labels (1)
0 Karma

aasabatini
Motivator

Hi @jonaclough 

I think the best way is create a identity and asset lookup table to manage better the logs flow.

Please check how works lookup table:

https://docs.splunk.com/Documentation/DSP/1.2.0/FunctionReference/Lookup

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

jonaclough
Path Finder

That's a link to DSP which is not relevant. Identity and Asset lookups are not going to work either as users do not own hosts. 

I'm not sure if you are trying to grab Karma for your own purposes but your response is in no way relevant or helpful.

aasabatini
Motivator

Hi @jonaclough 

sorry if my solution doesn't work for you or isn't relevant,however I did not like your controversial comment.
I tried to help, if my help doesn''t works please try to explain better.

how many sources are involved?

why Identity lookup doesn't works to with users and associated IP?


maybe your enviroment have many record in your lookup you can think to migrate to kvstore

Please let me know I am a splunk enthusiast I don't need karma for my purposes 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Hi @aasabatini 

I have no doubt you are an enthusiast (what's not to love about splunk?! 😀), but it is curious that there are a number of accounts whose sole purpose seems to be to keep you in the top 4 karma authors. Just sayin'

0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...