Getting Data In

Splunk indexer displays events from my new forwader with the host field showing IP address, I want the hostname

mazer
Explorer

Hi,

My forwarder is forwarding messages from a private subnet to our splunk indexer.

Here's an example of what I'm getting:

3:57:04.000 PM  
Mar  5 15:57:04 10.150.XXX.XXX logmgr: ID = 516 : Tue Mar  5 15:53:59 2013 : Audit : Log : minor : root : Set : object = "/SP/alertmgmt/rules/testalert" : value = "true" : success

    host=10.150.XXX.XXX   Options|  
    sourcetype=udp:514   Options|  
    source=udp:514   Options

What I'd like is for the hostname to be resolved.

On the forwader I can resolve the IP address to a hostname:

$ host 10.150.XXX.XXX

XXX.XXX.150.10.in-addr.arpa domain name pointer XXXXX-ilom.university.ac.uk.

I had a look at the splunk documentation and tried the instructions here to try and get around the problem:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources

In summary I made the following changes to the quoted files ensured there was also a copy of each in /opt/splunk/etc/apps/SplunkForwarder/local and restarted splunk but it didn't work.

In /opt/splunk/etc/system/local/props.conf
Added the 2 bottom lines to the access_combined section:

[access_combined]
pulldown_type = true 
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
LOOKUP-dns = dnsLookup host OUTPUT ip AS clientip
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname

In /opt/splunk/etc/system/local/transforms.conf
Changed to the following 2 lines in the dns_lookup section

external_cmd = external_lookup.py host ip
fields_list = host, ip

Does anyone have any ideas what I'm doing wrong?

Many Thanks, Maria

Tags (1)
0 Karma
1 Solution

mazer
Explorer

Here's the answer for those who need it.

In /opt/splunk/etc/system/local/inputs.conf you need:

[udp://514]
connection_host=dns

The thing that threw me for ages was you need the 514, whithout it you would expect it would do for all, but for some reason it does not!!!!

View solution in original post

mazer
Explorer

Here's the answer for those who need it.

In /opt/splunk/etc/system/local/inputs.conf you need:

[udp://514]
connection_host=dns

The thing that threw me for ages was you need the 514, whithout it you would expect it would do for all, but for some reason it does not!!!!

mazer
Explorer

Sorry, thought I'd done that!!!!

0 Karma

giorgio_adami_m
Path Finder

mark it as answered 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...