- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- external lookup advise
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
external lookup advise
Hi,
I want to create a lookup table that will load my /etc/hosts data, so that I can associate snmp traps with actual hostnames. From what I've read, the best way(?) to do this is to call an external script, but my concern is that this script will be firing quite often, as the feed coming into splunk is quite active. Is there an alternative way of doing this? The /etc/hosts file will update at least daily, and sometimes more, so I also need a way of updating the lookup table. The size is about 3000 rows of data.
Any advise is appreciated...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're dealing w/ SNMP traps, then your trap receiver (snmptrapd?) should be able to write into the message of the trap the host it originated from, doing a reverse lookup either in DNS or in /etc/hosts. From there, configure Splunk to extract the host name at index time from the raw event itself. This is how things like syslog are handled straight out of the box.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you expect the /etc/hosts file to be updated about daily, how about having a script that takes the hosts file and converts it into a file in CSV format that's suitable to use as a static lookup? Either just run it through cron, or you could have Splunk schedule when the script is run.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, indexer. These fields are being looked up at search-time, so where they originated from doesn't matter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last question? I'm looking at the doc, but it doesn't specify if the lookup should exist on the forwarder, or the indexer - any idea? I'm assuming indexer...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I appreciate it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Documentation on how to use lookup is available here: http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources
Specifically, you'll want to read up on static lookups in this section: http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources#Set_up...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. In theory, that would work. I guess my next question is how would I "call" that static lookup?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
