So the title is what I need in a nutshell but I'll elaborate. We have a large-ish installation with more than 100,000 hosts being indexed. Since we're indexing data for such a large amount of hosts, we've left our installation open so that anyone in the corporation can send data to us via syslog, snmp traps, or splunk forwarders, given that they have the right IP addresses.
The problem we have now though, is that within our organization, we have no guarantee that hostnames will not be duplicated within our environment. We do hoever, have a gaurantee that hostname.domain will be unique. Since we know that this is unique, we want to be able to report on it via a script. Basically a check that says "this host has reported into splunk in the last 5 minutes, and here's the sources that have reported in".
My two thoughts are, have the host field set to the FQDN, or the dns domain included as a field in the records being sent. The problems here are:
ALOT of this is syslog data, and splunk automatically pulls the hostname from the syslog data, regardless of what it's told the hostname is.
We don't want to have toc hange our hostnames no the hosts to include the domain if we can help it.
We don't want to have to maintain a translation table on the indexers. Ideally we'd like anyone, anywhere in the company to be able to send a record that somehow includes host.domain, whether it's in the hostfield, or domain is in another field.
So in a nutshell, I'd like to be able to get that domain info somehow included, but without any extra work on the indexers, or rather, entirely via the forwarders themselves. Then it's as simple as a REST API call that looks for host=host.domain, or at least host=hostname domain=domain, either which is fine.
Any ideas?
... View more