topic How do I capture both IP (ip_address) and hostname (host) information in my logs? in Getting Data In

How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Tue, 29 Sep 2020 08:54:55 GMT

Hello all.

I am trying to capture BOTH IP address info AND hostname in my logs. This data needs to be part of the actual logged data, not an added lookup field.

I have found this line in the inputs.conf file:

[default]
connection_host = <ip/dns>

By messing around with this, I was able to get this default section to work:

[default]
host = localhost
connection_host = ip

By adding the "localhost", the forwarder is forced to use the connection_host line for the "host" field.
Now my search results show an IP address for the "host" field in my searches.

The problem is, I need both IP info AND hostname data, and I would really like the hostname to be in the "host" field, and put the IP address in a custom field (I assume "_meta:IP_ADDRESS::myip)

My reason for this need:
We will be working with several different groups of computers, and there will most likely be hostname or ip address overlaps.
Also, the security team likes to be able to trace activity back via IP address, as not all devices log DNS names of network activity (firewalls/switches). With so many internal networks, we have no insight to their DNS for lookups anyways. IP is much easier.

I need to have my log contain the fields:
ip_address =
host =

Currently, I can only get my "host" to be EITHER ip or hostname. I have no way to populate ip_address with data.

This is a continuation of this post from last year: https://answers.splunk.com/answers/271921/how-to-keep-ip-source-info-from-the-originating-un.html

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Tue, 29 Sep 2020 08:55:00 GMT

One option that should work is to keep host as an ip address (working) and add a "host_name" custom field (not working).
is it possible to do something like this on the universal forwarder:

[default]
_meta = host_name::$hostname

I have been unable to get that to work. I did add a hardcoded value to _meta, but only when under a sourcetype, not in the [default] section.
Maybe _meta isn't the right option here for forcing an additional custom field?

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

muebel — Fri, 26 Feb 2016 03:28:33 GMT

Generally a lookup is the preferred way of going about something like this, but if that isn't an option, you could make the host field multivalue, and append the IP delimited by a '|', i.e.

# inputs.conf
[default]
server = myhostname.mydomain.com|192.168.1.100

And then extract as needed at search time.

Alternatively, you might be able to setup something to add an index time field. by something like:

#transforms.conf
[ip_field_set]
FORMAT = ip_address::192.168.1.100
WRITE_META = true
REGEX = (.+?)

#props.conf
[default]
TRANSFORMS-ip_field_set = ip_field_set

Or you could do some sort of combination, setting the source servername as a multivalue field, and then down the line setup props/transforms to extract the IP to a new field, while shortener the hostname to just the hostname.

Please let me know if this helps in any way 😄

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Fri, 26 Feb 2016 15:53:50 GMT

I tried:

[default]
host = localhost|foo
connection_host = ip

and

[default]
host = localhost|$COMPUTERNAME
connection_host = ip

This only gives me an IP address still. The text "foo" never shows up in the listing of log files. If I could get this to work, I think it may meet my needs, though.

I think I have to continue to use the connection_host = IP method of extracting an IP, because I cant be hardcoding ip addresses or hostnames anywhere.

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Mon, 29 Feb 2016 18:29:20 GMT

I just realized something in your answer I missed before:
Your method works, but only with hardcoded values. I really need something that pulls some sort of variable, like the $decideAtStartup host variable, or $hostname.
But these do not work/I am using the wrong syntax.

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Thu, 17 Mar 2016 15:17:51 GMT

Bump! Still definitely interested in how to capture both pieces of info

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Thu, 31 Mar 2016 18:26:04 GMT

another bump

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Wed, 27 Apr 2016 15:34:17 GMT

and another.

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

oliverj — Tue, 12 Jul 2016 15:25:52 GMT

And another.

Re: How do I capture both IP (ip_address) and hostname (host) information in my logs?

Vanvanvantasy — Fri, 03 Sep 2021 08:45:22 GMT

Another bump from 6 years later. still facing similar issue and what a answer to this question