Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Reporting

Reply
Highlighted
Accepted Solution

Filter IP based on computer name

Techie
Posts: 3
2921     1

Below is a DHCP Lease History splunk query. I want to be able to filter this report by excluding certain computer names and network segments. Example: If a comptuer name is ABClaptop1 I want to exlude any computer that starts with ABC* and only alert if the computer is not in a certain VLAN (example: 10.100.10.1). 

 

 

sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history dhcpd OR dhcpdv6 r-l-e | eval Protocol=if(PROTO=="dhcpdv6","IPV6","IPV4") | eval LEASE_START=strftime(START_EPOCH, "%Y-%m-%d %H:%M:%S") | eval LEASE_END=strftime(END_EPOCH, "%Y-%m-%d %H:%M:%S") | lookup os_number_fingerprint_lookup OS_NUMBER output SFP | eval FINGER_PRINT=if(isnull(OS_NUMBER) OR OS_NUMBER==0,FP,SFP) | lookup nios_member_ip_lookup host output MEMBER_IP | lookup fingerprint_device_class_lookup FINGER_PRINT output DEVICE_CLASS | eval DEVICE_CLASS=if(isnull(DEVICE_CLASS), "Modified or Deleted", DEVICE_CLASS) | rename host as "Member", ACTION as "Action", LEASE_IP as "Lease IP", MAC_DUID as "MAC/DUID", MEMBER_IP as "Member IP", OPTION12HOST as "Host Name", LEASE_START as "Lease Start", LEASE_END as "Lease End", FINGER_PRINT as "Fingerprint" | convert ctime(_time) as Time | table Time, Member, "Member IP", Protocol, Action, "Lease IP", "MAC/DUID", "Host Name", "Lease Start", "Lease End", "Fingerprint"

Highlighted

Re: Filter IP based on computer name

Adviser
Posts: 97
2921     1

I answered this another way in your other thread on this topic, but here is a more specific answer to your specific question.

 

You just need to add the necessary filter as shows in bold below.

 



sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history dhcpd  (OPTION12HOST!="ABC*")  OR dhcpdv6 r-l-e | eval Protocol=if(PROTO=="dhcpdv6","IPV6","IPV4") | eval LEASE_START=strftime(START_EPOCH, "%Y-%m-%d %H:%M:%S") | eval LEASE_END=strftime(END_EPOCH, "%Y-%m-%d %H:%M:%S") | lookup os_number_fingerprint_lookup OS_NUMBER output SFP | eval FINGER_PRINT=if(isnull(OS_NUMBER) OR OS_NUMBER==0,FP,SFP) | lookup nios_member_ip_lookup host output MEMBER_IP | lookup fingerprint_device_class_lookup FINGER_PRINT output DEVICE_CLASS | eval DEVICE_CLASS=if(isnull(DEVICE_CLASS), "Modified or Deleted", DEVICE_CLASS) | rename host as "Member", ACTION as "Action", LEASE_IP as "Lease IP", MAC_DUID as "MAC/DUID", MEMBER_IP as "Member IP", OPTION12HOST as "Host Name", LEASE_START as "Lease Start", LEASE_END as "Lease End", FINGER_PRINT as "Fingerprint" | convert ctime(_time) as Time | table Time, Member, "Member IP", Protocol, Action, "Lease IP", "MAC/DUID", "Host Name", "Lease Start", "Lease End", "Fingerprint"

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You