I want to monitor the subnet 172.30.0.0/24 through splunk, which IP address is used and which is not. Whenever new IP address comes live or assign to any host, new alert should be made.
You might want to check out Asset Discovery app. https://splunkbase.splunk.com/app/662/ Allows for monitoring assets status, and can scan subnets etc. loggin the status in to Splunk so that you can alert on things or review them.
Please tell us more about your use case. Splunk is not a network monitor. It merely digests information provided by monitoring tools and displays and/or alerts on that data.
Depending on your environment and policies, you may be able to use nmon or the logs from your network devices.
@richgalloway Thank you. Let me rephrase, we have subnet 1723.0.0/24 and only 15 IP addresses are being used for the last six months. Last week we came to know two more IP Addresses are also in use as asset count increased. we want a use case if a new asset is provisioned, an alert should be generated.
Thanks for clarifying. My answer still applies. Whatever device provisions IP addresses (your AD/DHCP server, perhaps) needs to send events to Splunk when it does so. Splunk can notify you of new or excess address use.
That takes DHCP out of the picture, but you still have nmon and your network devices available. They can let Splunk know when a device connects to the network. Splunk then can alert you if the device has not been seen before.