Splunk Enterprise

DHCP Logs not parsing correctly. Any advice how to correct please. Where do I start please? Thank u

SamHTexas
Builder

Need help to get the DHCP logs in Splunk tagged and parsed correctly.  The data is in the index xyz. 

  1. The IPv6 DHCP data is being tagged correctly, with sourcetype=dchp.  The IPv4 DHCP data is being tagged with sourcetype=xyz:bind:query.  Can we get that corrected to dhcp?  I believe all of the DHCP servers also provide DNS.  All of those log entries appear to have the correct sourcetype xyz:bind:query.

  2. The DHCP request type is not being parsed in index=xyz sourcetype=dhcp.  I'd like this to be stored in a field.  It could be named type, action, or whatever you think is appropriate.  Sample values are: DHCP_GrantLease, DHCP_RenewLease, DHCP_RebindLease.

Labels (2)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...