×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
DDIGuy
Explorer
Member since: ‎10-03-2022
‎10-07-2022
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎10-03-2022
View All

Re: Infoblox reporting splunk question.

by in Splunk Search
‎10-07-2022 05:33 AM
‎10-07-2022 05:33 AM
The following is the answer.    sourcetype=ib:audit index=ib_audit | sort -_time | rename TIMESTAMP as "Timestamp", ADMIN as "Admin", ACTION as "Action", OBJECT_TYPE as "Object Type", OBJECT_NAME as "Object Name", EXEC_STATUS as "Execution Status", MESSAGE as "Message", host as "Member" | search Admin=* Action=Created OR Action=Deleted "Object Type"="IPv4 Network Container" OR "Object Type"="IPv4 Network" |rex "comment\s(?<comment>\w+)\s" | table Admin, Action, "Object Type", "Object Name", comment ... View more

Re: Infoblox reporting splunk question.

by in Splunk Search
‎10-03-2022 10:56 AM
‎10-03-2022 10:56 AM
I am generating a report which includes all the networks and network containers created. This is working with the criteria I've provided. However, the "comment" isn't included and I would like it to be.  I would like this line to be included in the search "comment="DDIguy Reporting test" but can't figure out how to add that into the search criteria.  I'd like to pull the highlighted bit out of this stock report and include it in the report above ^.     ... View more

Infoblox reporting splunk question: How to pull in...

by in Splunk Search
‎10-03-2022 08:13 AM
‎10-03-2022 08:13 AM
Hi, I'm using the following search string in Infoblox reporting:     sourcetype=ib:audit index=ib_audit | sort -_time | rename TIMESTAMP as "Timestamp", ADMIN as "Admin", ACTION as "Action", OBJECT_TYPE as "Object Type", OBJECT_NAME as "Object Name", EXEC_STATUS as "Execution Status", MESSAGE as "Message", host as "Member" | search Admin=* Action=Created OR Action=Deleted "Object Type"="IPv4 Network Container" OR "Object Type"="IPv4 Network" | fields + Action, Admin, Member, "Object Name", "Object Type", "Comment" Timestamp |fields - _raw, _time     This search is to alert on new network or network containers created via the audit log. What I would like to do in addition to this, is pull in the comment from the network, which looks like this from the splunk search: 2022-10-03 15:00:23.984Z [guestrw]: Created Network 192.168.100.0/24 network_view=default extensible_attributes=[[name="Building",value="B2"]],address="192.168.100.0",auto_create_reversezone=False,cidr=24,comment="DDIguy Reporting test",common_properties=[domain_name_servers=[],routers=[]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False "commentDDIGUY Reporting test"  Can someone please help me understand how I can pull that into the first search query?    ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-07-2022 03:34 PM