- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to insert host name into event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to insert host name into event
I have a real need to insert a hostname into an event at collection\index time not at search time. Seeing that most of the IP's that I'm looking to resolve to hostnames change very frequently I need to capture the hostname and include it in the event when it is indexed. Does anyone know a way to do that? I looked at these articles but they don't seem to be helpful to do it at index time.
So basically a quick reverse DNS lookup and insert it into the event as a "hostname" field would be perfect. This will allow me to follow specific hosts and have information on every IP that host had.
- http://splunk-base.splunk.com/answers/1884/lookups-using-them-to-replace-the-host-field
- http://splunk-base.splunk.com/answers/27840/ip-address-vs-hostname
- http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/
- http://splunk-base.splunk.com/answers/61853/resolve-ip-address
Thanks,
-Ben
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a 2-step process, because there are limited things you can do at index time and because we want to do as little as possible during index time for optimal performance. So without further ado, here goes:
- Rewrite the host field using the source IP in your event -->
transforms.conf:
REGEX = ^\w{3}\s+\d+\s+[\d:]{8}\s+(\S+) DEST_KEY = MetaData:Host FORMAT = host::$1- Create a lookup of ips to hostnames using a saved search to be run at scheduled intervals: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources?r=sear...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this method, doesn't take into consideration dynamic IP addressing (DHCP Scope) - I need the dns entry to be added at the time of index and remain fixed. Anyone else found a way around this? I assume it is possible to add a field at index time from a external dns lookup but haven't found a way to implement it....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever get this resolved? Have the same challenge and am not finding a solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope - I was told its not possible. Only way to do it would be to get the forwarder to grab the host name and send it across as part of the event. Didn't end up doing it that way though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, did you find out how to do this? I'm having the same requirement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In inputs.conf using connection_host = dns doesn't work for you?
This should set the host to the reverse DNS of the computer sending you data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But doesn't that just give me the hostname of the computer that is sending me data? I would like hostname of the src_IP seen within the event, this will be different than the computer\appliance sending me the data.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
