topic connection_host = dns not working in Getting Data In https://community.splunk.com/t5/Getting-Data-In/connection-host-dns-not-working/m-p/292194#M96087 <P>Hi,</P> <P>I set new sourcetype: syslog-net for syslog events I don't want to extract host from.<BR /> My settings:</P> <P>inputs.conf <BR /> [udp://55555]<BR /> connection_host = dns<BR /> disabled = 0<BR /> index = net<BR /> sourcetype = syslog-net</P> <P>props.conf<BR /> [syslog-net]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> REPORT-syslog = syslog-extractions<BR /> SHOULD_LINEMERGE = False<BR /> TIME_FORMAT = %b %d %H:%M:%S<BR /> category = Operating System<BR /> maxDist = 3<BR /> pulldown_type = true<BR /> TRANSFORMS = </P> <P>Problem is that it sometimes (for some IP address) doesn't work. I see reverse dns requests to DNS server, but even if there are responses, I see some IP not resolved (10.26.x.y instead of resolved host name).</P> <P>Do you have any ideas? </P> Tue, 29 Sep 2020 12:49:03 GMT lukasz92 2020-09-29T12:49:03Z connection_host = dns not working https://community.splunk.com/t5/Getting-Data-In/connection-host-dns-not-working/m-p/292194#M96087 <P>Hi,</P> <P>I set new sourcetype: syslog-net for syslog events I don't want to extract host from.<BR /> My settings:</P> <P>inputs.conf <BR /> [udp://55555]<BR /> connection_host = dns<BR /> disabled = 0<BR /> index = net<BR /> sourcetype = syslog-net</P> <P>props.conf<BR /> [syslog-net]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> REPORT-syslog = syslog-extractions<BR /> SHOULD_LINEMERGE = False<BR /> TIME_FORMAT = %b %d %H:%M:%S<BR /> category = Operating System<BR /> maxDist = 3<BR /> pulldown_type = true<BR /> TRANSFORMS = </P> <P>Problem is that it sometimes (for some IP address) doesn't work. I see reverse dns requests to DNS server, but even if there are responses, I see some IP not resolved (10.26.x.y instead of resolved host name).</P> <P>Do you have any ideas? </P> Tue, 29 Sep 2020 12:49:03 GMT https://community.splunk.com/t5/Getting-Data-In/connection-host-dns-not-working/m-p/292194#M96087 lukasz92 2020-09-29T12:49:03Z Re: connection_host = dns not working https://community.splunk.com/t5/Getting-Data-In/connection-host-dns-not-working/m-p/292195#M96088 <P>I have only one idea. Your sourcetype from props.conf overwrite resolved host field. You can read about it <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf">input.conf example</A>:</P> <PRE><CODE>* If the input is configured with a 'sourcetype' that has a transform that overrides the 'host' field e.g. 'sourcetype=syslog', that will take precedence over the host specified here. </CODE></PRE> Thu, 09 Feb 2017 14:07:25 GMT https://community.splunk.com/t5/Getting-Data-In/connection-host-dns-not-working/m-p/292195#M96088 ronekarleone 2017-02-09T14:07:25Z