×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
a03858
New Member
Member since: ‎04-21-2011
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-21-2011
Activity Feed
Topics I've Started
View All

Re: Logs being sent with LWF

by in All Apps and Add-ons
‎07-11-2011 09:56 AM
‎07-11-2011 09:56 AM
The link shows this search - search sourcetype=DhcpSrvLog src_mac_prefix=* | top limit=10 src_mac_vendor showperc=f - with the part before the pipe highlighted. ... View more

Logs being sent with LWF

by in All Apps and Add-ons
‎07-11-2011 08:53 AM
‎07-11-2011 08:53 AM
I am using a LWF to send Windows DHCP logs to an indexer using this configuration: [monitor://F:\dhcp] sourcetype = dhcp crcSalt = alwaysOpenFile = 1 disabled = false whitelist = Dhcp.+\.log The logs that end up on the the indexer look like this: 31,07/11/11,10:44:57,DNS Update Failed,10.1.60.56, . ,,,0,6,,, with a sourcetype of dhcp. I have copied and changed the props.conf to be this: [dhcp] TIME_PREFIX=\, TIME_FORMAT=%m/%d/%y,%T SHOULD_LINEMERGE=false REPORT-dhcp=win_dhcp_extract,win_dhcp_expired-deleted TRANSFORMS-dhcp=null_win_dhcp_header FIELDALIAS-1=dhcp_id as cef_sid FIELDALIAS-2=desc as cef_name LOOKUP-winDHCP-mac=winDHCP_mac-vendorname src_mac_prefix OUTPUT src_mac_vendor LOOKUP-winDHCP-CEF=winDHCP_CEF-lookup cef_sid OUTPUTNEW LOOKUP-winDHCP-message=winDHCP_message_lookup dhcp_id OUTPUTNEW Within the Windows DHCP app I don't have any data displayed; looking for some help on the configuration. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM