Hi,
I am trying to add a IP address hint to the Active Directory logs. I know it isn't completely reliable, but it is just to get a general ideal of the IP address the workstations had when they generate some events. Sometimes the IP is already included in the event, but most times it isn't.
They way I am trying to implement it is by building a state table with a scheduled query: index="dhcp" (description="DNS Update Successful" OR description="Renew") | dedup hostname | outputcsv dhcpstatetable And then using a automatic lookup to add a probableip field to the AD events.
I have the problema that the outputcsv writes the csv to /var/run which I can't use to create a lookup definition.
Is there a better way to do this?