Splunk Search

Tying username to ip address

pkliewer
New Member

I have 2 logs being imported into Splunk Cloud -
Proxy logs that contain ip address, url, etc (all successfully extracted)
DHCP logs that contain username & ip address

What's the best way to tie the 2 together so I can assign a username to the proxy logs? Does a nightly report work best?

Proxy Fields: Time, IP Address, URL, Category
DHCP Log: Username, IP Address, Time IP assigned (client usually keeps same IP address the entire time, so I'd be searching on who had the IP address assigned last - this could be 2 hours ago or 1 month ago since this log only updates if their IP address changes, not if the ip address is renewed)

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your DHCP logs probably mean something like "from now on for the next X amount of time, this IP belongs to that person", right?

Using that, I'd build a time-based lookup containing the timestamp of the lease as the lookup's time field, the IP and user to do the actual looking up, and with the maximum offset in props.conf set to the lease duration your DHCP uses. Define a frequently running scheduled search that updates the lookup with the latest incoming DHCP events to keep things fresh. Define a rarely running search to prune very old data from the lookup.

The great thing about a time-based lookup is that it'll cope well with re-assigning an IP to someone else - it's practically built for this kind of thing. If you have an event at, say, 4pm with IP 1.2.3.4 it'll look for the most recent entry before 4pm for that IP within the maximum offset / lease duration. That'll work even if 1.2.3.4 was assigned to someone else at 5pm, and it'll also work if you search for events from a long time ago - provided you still have both the proxy logs and the entries in the DHCP-fed lookup.

0 Karma

hsesterhenn_spl
Splunk Employee
Splunk Employee

Great answer.

In addition you can run another scheduled search to store the combined information in a summary index.

Using this option you don't have to do the lookup every time you search.

HTH,

Holger

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...