Splunk Search

Hostname Table Lookup, Not Working, What's the issue?

drewbfl
Path Finder

Looking to have the ip's replaced with the hostnames. Receiving the error, "The lookup table 'hosts' does not exist. It is referenced by configuration 'syslog'."

Current config:
/apps/search/lookups/hosts.csv:

ip,name  
x.x.x.x,host1  
y.y.y.y,host2

/apps/search/local/props.conf:

[syslog]  
lookup_table = hosts ip AS host OUTPUT name as host  

/apps/search/local/transforms.conf:

[myLookup]  
filename = hosts.csv  

Any thoughts?
Thanks!

Tags (2)

Jeremiah
Motivator

I think you've got a couple of problems. Your first issue is that you need to reference the lookup name in your props.conf:

[syslog]
LOOKUP-host = myLookup ip OUTPUT name

The second problem is that you're outputting host which is an existing field in Splunk. You'd be better off using name, or hostname, or some other fieldname. I assume that the ip field is some value in your syslog event, and not the ip of the host generating the syslog event. If you're just trying to get Splunk to stick the hostname instead of the IP address in the host field, then add "connection_host = dns" to the config on your TCP input processor in inputs.conf.

ftk
Motivator

@ drewbfl, you should take a look at tagging the hosts instead of renaming them. Easier and more portable. http://www.splunk.com/base/Documentation/latest/Knowledge/Tagthehostfield

0 Karma

Jeremiah
Motivator

How are you receiving the data? Are you using forwarders? You could always specify the hostname in your inputs.conf on the forwarder with something else (the "host=" stanza).

0 Karma

drewbfl
Path Finder

Great, thank you (in the solution sense, not the result sense). I didn't know this wasn't possible. Seems like it would be a nice feature to allow lookup of a table for the names to save time. DNS names for me are not the names I actually want which is part of the problem I suppose. Thank you.

0 Karma

Jeremiah
Motivator

I don't think you can overwrite the host field with a lookup. Take a look at this answer, it covers the same topic. If you want to replace host with something besides DNS or the IP, you'd probably want to do that when the data is indexed. Check the "Configure indexed field extraction" in the admin guide.

http://answers.splunk.com/questions/1884/lookups-using-them-to-replace-the-host-field

0 Karma

drewbfl
Path Finder

I would like to replace the host field in the search app that shows just the IP of each host on the main page and for each event. I would like to use a lookup table instead of dns.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...