All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logs being sent with LWF

a03858
New Member
‎07-11-2011 08:53 AM

I am using a LWF to send Windows DHCP logs to an indexer using this configuration:

[monitor://F:\dhcp]
sourcetype = dhcp
crcSalt = 
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The logs that end up on the the indexer look like this:



31,07/11/11,10:44:57,DNS Update Failed,10.1.60.56,.,,,0,6,,,

with a sourcetype of dhcp.

I have copied and changed the props.conf to be this:



[dhcp]

TIME_PREFIX=\,

TIME_FORMAT=%m/%d/%y,%T

SHOULD_LINEMERGE=false

REPORT-dhcp=win_dhcp_extract,win_dhcp_expired-deleted

TRANSFORMS-dhcp=null_win_dhcp_header

FIELDALIAS-1=dhcp_id as cef_sid

FIELDALIAS-2=desc as cef_name

LOOKUP-winDHCP-mac=winDHCP_mac-vendorname src_mac_prefix OUTPUT src_mac_vendor

LOOKUP-winDHCP-CEF=winDHCP_CEF-lookup cef_sid OUTPUTNEW

LOOKUP-winDHCP-message=winDHCP_message_lookup dhcp_id OUTPUTNEW

Within the Windows DHCP app I don't have any data displayed; looking for some help on the configuration.

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-11-2011 04:08 PM

Please refer to the app documentation:

http://splunk-base.splunk.com/apps/22353/windows-dhcp

Saved Searches

Most of the saved searches and dashboards depend on the macro WinDHCP_event being defined correctly. By default, this event type is defined as "sourcetype=DhcpSrvLog", so if you have performed the initial step of getting the field extractions to work, you should be all set. If you still have problems, please post to answers.splunk.com using the link on this page.

Thus, for in your case, you should change the macro to be sourcetype=dhcp. You might have to wait 5 or 10 minutes after that for the dashboard's saved searches to work as expected.

0 Karma
Reply

a03858
New Member
‎07-11-2011 09:56 AM

The link shows this search - search sourcetype=DhcpSrvLog src_mac_prefix=* | top limit=10 src_mac_vendor showperc=f - with the part before the pipe highlighted.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-11-2011 09:26 AM

On one of the dashboards where you are not getting data displayed, there will be a link next to 'no results found'. When you click on this link, it should show you some information on the search that was run, including the search itself. Can you let me know what the search string is?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...