Hello
i have been trying to figure this out for days now.
i have logs coming in from multiple sources that only display IP address (src, dst, etc). what i would like to happen is that when a notable event fires, it searches the DHCP logs to tie a hostname to IP address at time of event. the logs are in separate indexes and i have tried join, transaction etc. i think a problem might be that in the events generating notables they are listed as src, src_ip, dst but in the DHCP logs they are shown as dest_ip. i need to map the dest (hostname) field to the ip field. sample below
index=IPS "cat=peer to peer" src=10.139.114.171
index=dhcp sourcetype=dhcpsrvlog dest_ip=10.139.114.171
is it possible to have the notable event spawn a subsearch to correlate this data?
... View more