Configure Enrichment¶

The steps to setup enrichment for this app utilize Splunk Lookups. For more information on lookups see Splunk Docs: About lookups.

Pi-hole DHCP Enrichment Configuration¶

For the built-in DHCP hostname enrichment to work, there is a scheduled search that needs to be enabled (Disabled by default).

1. From Splunk Web, open the Pihole DNS App for Splunk.
2. Navigate to Settings > Searches, Reports, and Alerts.
3. Ensure the "App" context is the Pihole DNS App for Splunk by using the dropdown.
4. Set the "Owner" to "all"
5. Enable by clicking "Edit" > "Enable"
6. Click "Run"

Clicking Run will build the lookup for the first time. After that, the lookup will run hourly to keep the information up to date. The frequency that the search runs can be updated by the following:

1. From the same screen, click Edit > Edit Schedule.
2. Update the schedule as needed.

Alternative Enrichment Configuration¶

Static Lookup File¶

Using a static lookup file may be the simplest way to get started for enriching IPs with hostnames. The static list takes more to maintain but is easier to get started. If your environment utilizes static IPs or DHCP reservations, this option is the easiest choice.

Method 1 - Use the Lookup Editor¶

Recommended

The lookup editor may be the easiest way to create and mange lookups in Splunk. You can download and install the Lookup Editor from Splunkbase: Lookup Editor.

Once installed, the lookup editor can be used to create a new CSV lookup.

1. Open the Lookup Editor in Splunk Web.
2. Click "Create a New Lookup" > CSV lookup.
3. Give the lookup a descriptive name.
4. Choose which App context this lookup will be stored in (i.e. Search & Reporting).
5. Leave the "User-only" box unchecked. This will give the lookup the global scope permissions it needs.

6. Create column headers (row 1). This app uses the following for the CSV header, however, any field names can be used.

   Recomended Headers

   dest_nt_host,dest_ip,dest_mac
   

7. Populate the remaining rows with the IP and host information.

8. Once saved, move on to Update Lookup Macros.

Method 2 - Create and Upload a new CSV file¶

A lookup file can be created outside of Splunk and then uploaded via the web interface.

1. Use an editor to create a file in CSV format.

2. Create column headers (row 1). This app uses the following for the CSV header, however, any field names can be used.

   Recomended Headers

   dest_nt_host,dest_ip,dest_mac
   

3. Populate the remaining rows with the IP and host information.

4. Be sure to save the file with a .csv extension.
5. Open Splunk Web.
6. Navigate to Settings > Lookups > Lookup table files (click "+ Add new")
7. Select the Destination App (i.e. Search & Reporting).
8. Upload the file.
9. Provide the Destination filename. This can be the same name as the one created (i.e. pihole_lookup.csv).
10. Once saved, Navigate back to Settings > Lookups > Lookup table files, if you are not already there.
11. Search for the name of the file you just uploaded.
12. Modify the permissions for the file by clicking "Permissions."
13. Select "All apps (system)" from the two radio options.
14. Check "Read" permissions for Everyone. Write permissions can be given as needed (typically set to admin & power).
15. After saving, move to Update Lookup Macros.

Use an existing lookup file¶

If you already have an existing lookup file that contains a mapping of hostnames and IPs, ensure the following:

1. The lookup file has a global scope.
2. Users are able to read the lookup file.
3. If you are using a lookup file and a lookup definition, also ensure the lookup definition has the same permissions as above.

Once verified the correct permissions are set, see Update Lookup Macros.