Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change IPs in syslog to names in csv file?

lazermissile
New Member
‎05-04-2012 11:38 AM

I have been trying to learn where to begin with this, but I'm still struggling three days later, so I figured I would ask here.

I am trying to display OSPF and PIM neighbor tables that I have sent to syslog, but instead of displaying them with their IP addresses, I would like to use names I have in a csv file.

format of the csv file I think should be something like this:

ip, hostname
43.25.65.3, Router1
10.127.99.213, Router2
76.99.5.244, Router3
172.16.1.1, Router4

This is the syslog output from the router as it's shown in Splunk:

May  3 16:18:07 172.16.8.81 451: *Mar  1 00:32:24.691: %HA_EM-6-LOG: sys: 

May  3 16:18:07 172.16.8.81 452: 

May  3 16:18:07 172.16.8.81 453: Neighbor ID     Pri   State           Dead Time   Address         Interface

May  3 16:18:07 172.16.8.81 454: 43.25.65.3        1   FULL/BDR        00:00:35    172.16.1.1      FastEthernet0/0

May  3 16:18:07 172.16.8.81 455: 76.99.5.244       1   FULL/BDR        00:00:38    10.127.99.213   FastEthernet1/0

I don't know how to go about actually applying this stuff to the syslog output. If anyone can suggest a simple way to accomplish this I would be so happy!

If there is an easier way to do this (No DHCP) then please suggest. Thanks!

Tags (4)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-04-2012 04:19 PM

The easiest solution may not be a "Splunk" one at all. Put your router IPs in /etc/hosts on the machine receiving the syslog. Let it write the proper host names into the events as they are received.

I am making an assumption here that you are using syslog-ng or rsyslog or something as the UDP receiver and letting Splunk read its input files. If you're using Splunk's own UDP receiver, you may need to set:

connection_host = dns

for the appropriate stanza in inputs.conf.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎05-04-2012 01:18 PM

You'll first need to make sure that you're capturing the dotted IP address from the log lines as a field. Let's say you've set it up and have a field called host_ip. (The host field created by Splunk may or may not reflect the IP address of the router device, depending upon whether or not you have the data going over a syslog channel directly into Splunk, or whether there is a syslog receiver and Splunk Forwarder in between....)

Once you have a field containing the dotted IP, you're talking about a lookup. Use the Manager > Lookups section to first create a file (with the contents you've provided), then create a lookup definition, to be able to refer to it by name. Let's say you called the file router_ips.csv, and then created a lookup definition router_lookup to refer to that file.

Now, in the search bar, you could do: < your search > | lookup router_lookup ip AS host_ip OUTPUT hostname. At this point the hostname field would contain a string like 'Router4'.

You can further configure this lookup (again, via the Manager) to be automatic, and not require the extra "lookup" step described above.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...