Greetings,
At the moment due to various sources/sourcetypes, as well as historical hostname changes we have a lot of "duplicate" hostnames listed under "hosts" inside the Summary - Search view. One example of a host: say in /var/log/cache.log it has a hostname of linux33.ext and in /var/log/messages it has a hostname of linux33.local. But actually it's all the same host.
Is there a way to have the splunk indexer read a file of a similar format to this:
actual_hostname aliases
linux12 linux12.local;linux12.tls.ad
linux16 linux16.local;oldhostnameoflinux16
...and have Splunk show/record only the "actual_hostname" value for every time the indexer encounters one of the aliases?
I have a combination of forwarder inputs and syslog inputs on the indexer so I would like this processing to be done at the indexer itself.
Thank you
... View more