topic Re: How to put FQDN in syslog input instead of IP address? in Getting Data In

How to put FQDN in syslog input instead of IP address?

lguinn2 — Thu, 02 Dec 2010 07:28:47 GMT

I am indexing a file of aggregated syslog events. The events in the file contain the IP addresses of the various hosts.

If I could input this data as a network input (TCP or UDP), I would be able to use the DNS setting on the input, and Splunk would do a reverse DNS lookup on the IPs as the events arrived. But that is not an option in this case.

I do want to index this file using the FQDN of the hosts, rather than the IP addresses. This would be more consistent with my other inputs, and I believe it would be more efficient than running external_lookup.py all the time.

Is this possible with Splunk 4.1.x?

Re: How to put FQDN in syslog input instead of IP address?

gkanapathy — Thu, 02 Dec 2010 07:41:02 GMT

Yes. I'm assuming you're using Splunk UDP input. If you're using a syslog server and Splunking in the resulting file, you should set up the syslog server to do the lookup when it writes to the file. With a Splunk UDP input add:

connection_host = dns

to the input stanza for the UDP input in inputs.conf.

Re: How to put FQDN in syslog input instead of IP address?

lguinn2 — Fri, 10 Dec 2010 04:53:18 GMT

I am not using UDP, but this still answered my question. I need to set up the syslog server to do the DNS lookup.

Re: How to put FQDN in syslog input instead of IP address?

NetFlow_Logic — Tue, 28 May 2013 00:58:14 GMT

Our customers are asking about resolving IP addresses to FQDN in Splunk. Are there any development in this area in Splunk since 2010?