Splunk Search

Tying username to ip address

pkliewer
New Member

I have 2 logs being imported into Splunk Cloud -
Proxy logs that contain ip address, url, etc (all successfully extracted)
DHCP logs that contain username & ip address

What's the best way to tie the 2 together so I can assign a username to the proxy logs? Does a nightly report work best?

Proxy Fields: Time, IP Address, URL, Category
DHCP Log: Username, IP Address, Time IP assigned (client usually keeps same IP address the entire time, so I'd be searching on who had the IP address assigned last - this could be 2 hours ago or 1 month ago since this log only updates if their IP address changes, not if the ip address is renewed)

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your DHCP logs probably mean something like "from now on for the next X amount of time, this IP belongs to that person", right?

Using that, I'd build a time-based lookup containing the timestamp of the lease as the lookup's time field, the IP and user to do the actual looking up, and with the maximum offset in props.conf set to the lease duration your DHCP uses. Define a frequently running scheduled search that updates the lookup with the latest incoming DHCP events to keep things fresh. Define a rarely running search to prune very old data from the lookup.

The great thing about a time-based lookup is that it'll cope well with re-assigning an IP to someone else - it's practically built for this kind of thing. If you have an event at, say, 4pm with IP 1.2.3.4 it'll look for the most recent entry before 4pm for that IP within the maximum offset / lease duration. That'll work even if 1.2.3.4 was assigned to someone else at 5pm, and it'll also work if you search for events from a long time ago - provided you still have both the proxy logs and the entries in the DHCP-fed lookup.

0 Karma

hsesterhenn_spl
Splunk Employee
Splunk Employee

Great answer.

In addition you can run another scheduled search to store the combined information in a summary index.

Using this option you don't have to do the lookup every time you search.

HTH,

Holger

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...