The lookup file itself can be automatically populated by Splunk using SPL and a DCHP dataset, such as one generated by the Windows DHCP service.
This offset allows us to have multiple entries in this lookup over time, which means that as new IP’s are assigned, events should match up against the most appropriate single entry based on time. The result of this is an automatic lookup that runs on the WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype matching against a single entry of the lookup file that has a timestamp field which is no more than one hour behind our search time event. LOOKUP-dhcp_lookup_auto = dhcp_time_lookup dhcp_hostname AS host OUTPUTNEW dhcp_ip AS dhcp_ip These can be configured using a standard props / transforms rule on your Splunk Search Head. There is a maximum skew between the two times that can be implemented, so for example, we can have Splunk retrieve the closest matching value within the lookup file, that occurred within 1 hour of the event in question. Splunk will retrieve the closest match between the search time event and the lookup file. Time based lookups utilise the time of an event, to perform a lookup against a set of values with associated timestamps. The lookup file is very, very simple : dhcp_time How can we get Splunk to do this association automatically at search time? This is useful for the user looking at the event data, but also allows events from sources such as network traffic to be associated with events from sources such as Windows event log. Quite often, especially when using Splunk Enterprise Security, we need to have a dynamic lookup between IP Addresses seen in events, and hostname values.
0 kommentar(er)
