---

@borisurdu novels wrote:

Hi all,

 

wanted to know why Infoblox reports "lease threshold crossed" message in separate syslog messages, rather than a single one that would appear as one event in the splunk?

 

In the SMNP trap the information is concatenated in separate lines:

DHCP high threshold crossed:
Member: a.b.c.220
Network: a.b.c.0/24/default
Range: a.b.c.102/a.b.c.102///default/
High Trigger Mark: 90%
High Reset Mark: 85%
Current Usage: 100%
Active Leases: 1
Available Leases: 0

Total Addresses: 1 

 

would be good if it is in the same syslog message, instead that every piece of information needs to be a separate syslog message.

How to link the messages together to renders it possible for Splunk to extract the info?
We would like to see/use this alert in one line to use it in splunk.

thanks for your outputs

---

To address the "lease threshold crossed" messages appearing as separate syslog entries in Splunk, you can configure Splunk to correlate these related messages into a single event. One approach is to use Splunk's “Transaction” command to group multiple log messages based on a common identifier or timestamp.