https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11828#M726 <P>I think that the system hosting splunk needs to be configured to do dns lookups for this new port. I could be wrong...but check this out:</P> <P>options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (yes); use_time_recvd (yes); create_dirs (yes); keep_hostname (yes); };</P> <H1>==============</H1> <H1>SOURCES</H1> <H1>==============</H1> <P>source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); };</P> <P>source s_net { udp(ip(0.0.0.0) port (514)); };</P> <P>This is from my syslog-ng.conf file. Maybe adding the following will help?</P> <P>source s_net { udp(ip(0.0.0.0) port (515)); };</P> Wed, 21 Apr 2010 00:56:28 GMT mayler 2010-04-21T00:56:28Z https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11827#M725 <P>Server is running 4.1.</P> <P>This does not seem to be an issue for default udp (that is, udp/514) messages.</P> <PRE> [udp://9514] disabled = false sourcetype = cisco_syslog index = udp9514 connection_host = dns </PRE> <P>Received syslog messages retain their IP address and not get switched to hostname.</P> Tue, 20 Apr 2010 18:35:30 GMT https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11827#M725 gshah 2010-04-20T18:35:30Z https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11828#M726 <P>I think that the system hosting splunk needs to be configured to do dns lookups for this new port. I could be wrong...but check this out:</P> <P>options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (yes); use_time_recvd (yes); create_dirs (yes); keep_hostname (yes); };</P> <H1>==============</H1> <H1>SOURCES</H1> <H1>==============</H1> <P>source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); };</P> <P>source s_net { udp(ip(0.0.0.0) port (514)); };</P> <P>This is from my syslog-ng.conf file. Maybe adding the following will help?</P> <P>source s_net { udp(ip(0.0.0.0) port (515)); };</P> Wed, 21 Apr 2010 00:56:28 GMT https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11828#M726 mayler 2010-04-21T00:56:28Z https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11829#M727 <P>Just checked my data input (because i'm doing the same thing) and turns out...there is a radio button for DNS. </P> <P>Navigate to Admin/Manager..whatever (from web ui), Data Inputs, UDP, Your UDP 515 or other port, make sure "Set Host" has DNS selected. </P> Wed, 21 Apr 2010 01:00:01 GMT https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11829#M727 mayler 2010-04-21T01:00:01Z https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11830#M728 <P></P><P>This should work the same for both. Can you please review the output of splunk cmd btool inputs list</P> Wed, 21 Apr 2010 01:15:25 GMT https://community.splunk.com/t5/Getting-Data-In/hostname-from-non-default-udp-input-does-not-get-converted-into/m-p/11830#M728 jrodman 2010-04-21T01:15:25Z