Solved: Multiple searches over a number of days across sep...

ng87 · ‎04-01-2016

Apologies for the title, i couldn't come up with anything that made sense. Some background information before i explain what i am trying to do.

We have multiple indexes in our Splunk instance, each index represents a log source .For example we have an index for proxy logs ( source ip , dest ip , url requested etc.. ) and another index for DHCP logs ( mac address, hostname , lease time, etc... )

Now what i am trying to accomplish is with a single search to be able to see all the proxy logs for a specific laptop over a number of days. The issue i have is that every day when the laptop comes in it receives a new IP so at the moment i have to manually find from the DHCP logs what IP it had for that day and then run my proxy search for that day with the specific IP.

Is there a way to do this in a single search in Splunk by providing just a hostname or is this something i will need to script using the python/Splunk API ?

Any help would be appreciated

Jeremiah · ‎04-01-2016

I can't write out the exact search you would need without having your field list and seeing samples of your logs. However, I think what you would need to do is perform a subsearch which matches the computer you are looking for (either by hostname or MAC address). Then use that to find all of the IP addresses used by the computer in the time period you are searching. Then the subsearch will return the IP address list to the main search, which will search the proxy logs for that specific IP address(es). Something like this:

index=proxy [search index=dhcp <MAC address or hostname> | rename ip_address AS source_ip | dedup source_ip | fields source_ip]

One problem you may run into is that if you search over long ranges of time, the IP address may move from one client to another. You could then try using join with your search and use time as one of the matching elements.

index=proxy | join source_ip usetime=true earlier=true [ search index=dhcp <MAC address or hostname> | rename ip_address AS source_ip]

View solution in original post

Jeremiah · ‎04-01-2016

I can't write out the exact search you would need without having your field list and seeing samples of your logs. However, I think what you would need to do is perform a subsearch which matches the computer you are looking for (either by hostname or MAC address). Then use that to find all of the IP addresses used by the computer in the time period you are searching. Then the subsearch will return the IP address list to the main search, which will search the proxy logs for that specific IP address(es). Something like this:

index=proxy [search index=dhcp <MAC address or hostname> | rename ip_address AS source_ip | dedup source_ip | fields source_ip]

One problem you may run into is that if you search over long ranges of time, the IP address may move from one client to another. You could then try using join with your search and use time as one of the matching elements.

index=proxy | join source_ip usetime=true earlier=true [ search index=dhcp <MAC address or hostname> | rename ip_address AS source_ip]

somesoni2 · ‎04-01-2016

This is a classic requirement for Time-based lookup. See here for more details
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureatime-boundedlookup

Basically you would need to create a time based lookup which be populated from your DHCP logs (will contain TIME, hostname and IP address on that TIME) and this will be used in lookup command while searching for proxy logs to get/filter/assign hostname for the source ip.

Multiple searches over a number of days across separate indexes

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms