I'm unsure how to do the following. In our environment, some clients receive private IP addresses (and are translated to public) and others receive public addresses. I need to be able to enter a public IP address and then sift through logs to find the associated mac address and username.
If it's a translated public IP address, I need to FIRST check for the IP in sourcetype=firewall for src_translated_ip=<publicip>.
- If it finds a result, take the associated src_ip (i.e., the private IP address) and then search in sourcetype=dhcp for the src_mac, and then map to sourcetype=auth with the src_ip and src_mac in order to get the username.
- If it does NOT find a result, use the original src_translated_ip and search with it as "src_ip" in sourcetype=dhcp for the src_mac, etc....
So basically, first see if it's translated; if it's not, proceed using the IP. If it is translated, find the "real" IP address, then proceed using the real IP.
I have both searches figured out independently, but I want to allow for a user to simply provide the one IP address and then use if/then/else or an equivalent to do the heavy lifting.
Ideas?