Hi,
I want to create a lookup table that will load my /etc/hosts data, so that I can associate snmp traps with actual hostnames. From what I've read, the best way(?) to do this is to call an external script, but my concern is that this script will be firing quite often, as the feed coming into splunk is quite active. Is there an alternative way of doing this? The /etc/hosts file will update at least daily, and sometimes more, so I also need a way of updating the lookup table. The size is about 3000 rows of data.
Any advise is appreciated...
If you're dealing w/ SNMP traps, then your trap receiver (snmptrapd
?) should be able to write into the message of the trap the host it originated from, doing a reverse lookup either in DNS or in /etc/hosts
. From there, configure Splunk to extract the host name at index time from the raw event itself. This is how things like syslog are handled straight out of the box.
If you expect the /etc/hosts file to be updated about daily, how about having a script that takes the hosts file and converts it into a file in CSV format that's suitable to use as a static lookup? Either just run it through cron, or you could have Splunk schedule when the script is run.
Yes, indexer. These fields are being looked up at search-time, so where they originated from doesn't matter.
One last question? I'm looking at the doc, but it doesn't specify if the lookup should exist on the forwarder, or the indexer - any idea? I'm assuming indexer...
Thanks! I appreciate it.
Documentation on how to use lookup is available here: http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources
Specifically, you'll want to read up on static lookups in this section: http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources#Set_up...
Thanks. In theory, that would work. I guess my next question is how would I "call" that static lookup?