Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Aliases for "host" field?

alexander_lucas
Explorer
‎07-12-2011 01:08 AM

Greetings,

At the moment due to various sources/sourcetypes, as well as historical hostname changes we have a lot of "duplicate" hostnames listed under "hosts" inside the Summary - Search view. One example of a host: say in /var/log/cache.log it has a hostname of linux33.ext and in /var/log/messages it has a hostname of linux33.local. But actually it's all the same host.
Is there a way to have the splunk indexer read a file of a similar format to this:

actual_hostname aliases
linux12 linux12.local;linux12.tls.ad
linux16 linux16.local;oldhostnameoflinux16

...and have Splunk show/record only the "actual_hostname" value for every time the indexer encounters one of the aliases?
I have a combination of forwarder inputs and syslog inputs on the indexer so I would like this processing to be done at the indexer itself.

Thank you

Tags (2)
0 Karma
Reply

khodges_splunk
Splunk Employee
Splunk Employee
‎07-20-2011 02:48 PM

Alexander,

Unless I misunderstand your question, I believe you can achieve this via lookups and then modifying the searches in your views, and/or fields you reference in your searches.

I created and loaded a lookup table that looks like this:

actualhost, host

actualwww1, www1

actualwww2, www2

actualwww3, www3

Then, executed a search using both fields; host and actual host.

password fail* | table user, host, actualhost

You can see the results below. So you could modify views that use the field host and change it to actual host to get the values you are looking for. For example, I would modify my search above to use only actual host:

password fail* | table actualhost

The summary view has a saved search running behind the scenes. You can identify and modify that saved search to show your actual hosts on the summary page too.

I hope this helps. 

user    host    actualhost

1 irc www1 actualwww1

2 harrison www1 actualwww1

3 admin www1 actualwww1

4 whois www1 actualwww1

5 splunk-indexer.mycompany.com

6 root www1 actualwww1

7 whois www1 actualwww1

8 henri www1 actualwww1

9 system www1 actualwww1

10 dopey www1 actualwww1

0 Karma
Reply

alexander_lucas
Explorer
‎07-25-2011 01:50 AM

I would like to do it pre-index or index time.
1. A splunk indexer receives a log file entry "20101106 linux16.local rd[234] server restarted!"
2. The indexer "rewrites" linux16.local to linux16 (please refer to the tsv file in my question)
3. The indexer saves the entry to an index file with host field = "linux16".

And same for ALL other types of log that indexer can parse (syslog, apache logs etc).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...