Solved: How to put FQDN in syslog input instead of IP addr...

lguinn2 · ‎12-01-2010

I am indexing a file of aggregated syslog events. The events in the file contain the IP addresses of the various hosts.

If I could input this data as a network input (TCP or UDP), I would be able to use the DNS setting on the input, and Splunk would do a reverse DNS lookup on the IPs as the events arrived. But that is not an option in this case.

I do want to index this file using the FQDN of the hosts, rather than the IP addresses. This would be more consistent with my other inputs, and I believe it would be more efficient than running external_lookup.py all the time.

Is this possible with Splunk 4.1.x?

gkanapathy · ‎12-01-2010

Yes. I'm assuming you're using Splunk UDP input. If you're using a syslog server and Splunking in the resulting file, you should set up the syslog server to do the lookup when it writes to the file. With a Splunk UDP input add:

connection_host = dns

to the input stanza for the UDP input in inputs.conf.

View solution in original post

gkanapathy · ‎12-01-2010

Yes. I'm assuming you're using Splunk UDP input. If you're using a syslog server and Splunking in the resulting file, you should set up the syslog server to do the lookup when it writes to the file. With a Splunk UDP input add:

connection_host = dns

to the input stanza for the UDP input in inputs.conf.

NetFlow_Logic · ‎05-27-2013

Our customers are asking about resolving IP addresses to FQDN in Splunk. Are there any development in this area in Splunk since 2010?

lguinn2 · ‎12-09-2010

I am not using UDP, but this still answered my question. I need to set up the syslog server to do the DNS lookup.

How to put FQDN in syslog input instead of IP address?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability