I have 2 logs being imported into Splunk Cloud -
Proxy logs that contain ip address, url, etc (all successfully extracted)
DHCP logs that contain username & ip address
What's the best way to tie the 2 together so I can assign a username to the proxy logs? Does a nightly report work best?
Proxy Fields: Time, IP Address, URL, Category
DHCP Log: Username, IP Address, Time IP assigned (client usually keeps same IP address the entire time, so I'd be searching on who had the IP address assigned last - this could be 2 hours ago or 1 month ago since this log only updates if their IP address changes, not if the ip address is renewed)
Your DHCP logs probably mean something like "from now on for the next X amount of time, this IP belongs to that person", right?
Using that, I'd build a time-based lookup containing the timestamp of the lease as the lookup's time field, the IP and user to do the actual looking up, and with the maximum offset in props.conf set to the lease duration your DHCP uses. Define a frequently running scheduled search that updates the lookup with the latest incoming DHCP events to keep things fresh. Define a rarely running search to prune very old data from the lookup.
The great thing about a time-based lookup is that it'll cope well with re-assigning an IP to someone else - it's practically built for this kind of thing. If you have an event at, say, 4pm with IP 1.2.3.4 it'll look for the most recent entry before 4pm for that IP within the maximum offset / lease duration. That'll work even if 1.2.3.4 was assigned to someone else at 5pm, and it'll also work if you search for events from a long time ago - provided you still have both the proxy logs and the entries in the DHCP-fed lookup.
Great answer.
In addition you can run another scheduled search to store the combined information in a summary index.
Using this option you don't have to do the lookup every time you search.
HTH,
Holger