- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why doesn't my new lookup field show up in search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I am trying to tie mac addresses to username based on DHCP data. I have followed all the online documentation but the new field is not showing up in the field picker in the search app. I have tried checking the permissions (they're correct) and restarting splunk to no effect. Here is a sample of the DHCP data:
Jul 26 15:27:42 130.184.6.37 Jul 26 15:27:42 130.184.251.34 dhcpd: DHCPACK on 172.17.158.212 to 00:0a:5e:02:c4:58 (NetworkJack) via eth0.158
Here is a sample of the lookup file and the relevant .conf bits:
**Lookup CSV:
in /opt/splunk/etc/apps/search/lookups/dhcpd_username.csv
src_mac,user
58:b0:35:fd:c8:d5,sean
**Transforms.conf
in /opt/splunk/etc/apps/search/local/transforms.conf
[dhcpd_username]
filename = dhcpd_username.csv
**Props.conf
in /opt/splunk/etc/apps/search/local/props.conf
[dhcpd_username]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user
And to get src_mac I am using the app Linux DHCP by araitz.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":
[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":
[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That was it. I knew it had to be something simple. I think I was assuming that had to match the transforms.conf. Great!!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
