topic Re: How to insert host name into event in All Apps and Add-ons

How to insert host name into event

benspader — Thu, 08 Aug 2013 14:51:39 GMT

I have a real need to insert a hostname into an event at collection\index time not at search time. Seeing that most of the IP's that I'm looking to resolve to hostnames change very frequently I need to capture the hostname and include it in the event when it is indexed. Does anyone know a way to do that? I looked at these articles but they don't seem to be helpful to do it at index time.

So basically a quick reverse DNS lookup and insert it into the event as a "hostname" field would be perfect. This will allow me to follow specific hosts and have information on every IP that host had.

Thanks,
-Ben

Re: How to insert host name into event

krugger — Thu, 08 Aug 2013 14:56:36 GMT

In inputs.conf using connection_host = dns doesn't work for you?

This should set the host to the reverse DNS of the computer sending you data.

Re: How to insert host name into event

benspader — Thu, 08 Aug 2013 15:01:39 GMT

But doesn't that just give me the hostname of the computer that is sending me data? I would like hostname of the src_IP seen within the event, this will be different than the computer\appliance sending me the data.

Re: How to insert host name into event

cespinoz — Tue, 18 Aug 2015 00:10:42 GMT

Hi, did you find out how to do this? I'm having the same requirement.

Re: How to insert host name into event

mreynov_splunk — Tue, 18 Aug 2015 19:00:27 GMT

This is a 2-step process, because there are limited things you can do at index time and because we want to do as little as possible during index time for optimal performance. So without further ado, here goes:

Rewrite the host field using the source IP in your event --> transforms.conf:
REGEX = ^\w{3}\s+\d+\s+[\d:]{8}\s+(\S+) DEST_KEY = MetaData:Host FORMAT = host::$1
1. Create a lookup of ips to hostnames using a saved search to be run at scheduled intervals: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources?r=searchtip#Use_search_results_to_populate_a_lookup_table

Re: How to insert host name into event

LewisWheeler — Tue, 03 May 2016 22:41:59 GMT

I tried this method, doesn't take into consideration dynamic IP addressing (DHCP Scope) - I need the dns entry to be added at the time of index and remain fixed. Anyone else found a way around this? I assume it is possible to add a field at index time from a external dns lookup but haven't found a way to implement it....

Re: How to insert host name into event

tlmayes — Thu, 14 Jul 2016 16:44:37 GMT

Did you ever get this resolved? Have the same challenge and am not finding a solution

Re: How to insert host name into event

LewisWheeler — Fri, 15 Jul 2016 08:15:20 GMT

Nope - I was told its not possible. Only way to do it would be to get the forwarder to grab the host name and send it across as part of the event. Didn't end up doing it that way though.