topic Re: Summary view host name instead of ip address in Knowledge Management

Summary view host name instead of ip address

kmille2 — Fri, 03 Sep 2010 01:53:47 GMT

How can a device name be displayed for the IP address in the summary search window?

Re: Summary view host name instead of ip address

southeringtonp — Fri, 03 Sep 2010 02:17:59 GMT

The cleanest approach would be to try to find out why the host field is being set to the IP address instead of a hostname on input and fix it there. That would only apply to new events going forward though.

If you want to change the display, you will need to modify the dashboard.xml in the search app. It's driven by this search:

| metadata type=hosts

so you would need to modify it to use a lookup table. Using the nslookup command may also be possible, but I believe that command needs raw events to operate on, and would not work with the output of the metadata command.

Re: Summary view host name instead of ip address

gkanapathy — Fri, 03 Sep 2010 03:43:27 GMT

I'm going to guess that you've got UDP syslog data coming in to Splunk, in which case you need to enable the

connection_host = dns

in the inputs.conf. I think there is also a setting for this in the GUI for the UDP input.

Re: Summary view host name instead of ip address

DrewO — Fri, 03 Sep 2010 05:11:48 GMT

Gerald is correct. By default network inputs assign the sending device/server's ip address as the host name, you can switch it so that Splunk will do a reverse DNS lookup on the IP and grab that as the host name. If you are using Splunk 4.1.x you can make this change in the Splunk Manager, previous versions require you to make the change directly to inputs.conf. (See the docs http://www.splunk.com/base/Documentation/latest/Admin/Monitornetworkports for details.)

Once you make the change as new data comes in the host name will appear in the summary view. However, since the host field is an indexed field your change will not be retroactive, your old data will still have IPs for host names. You can either just wait for the older data to age out of your system and the IP hosts will disappear, or you could delete the older data manually once it's lost it relevance.

Re: Summary view host name instead of ip address

kmille2 — Sat, 11 Sep 2010 00:34:34 GMT

Thanks for the info on your posts; the devices sending Syslog to our Splunk are not in our DNS. So I have settled for adding a descriptive tag to the IP address.

Re: Summary view host name instead of ip address

kmille2 — Sat, 11 Sep 2010 00:42:37 GMT

For now all the devices are sending syslog and none of them are in our DNS servers.

Re: Summary view host name instead of ip address

DrewO — Wed, 22 Sep 2010 05:36:19 GMT

Yeah, without a DNS entry there's no easy way. Using a tag is a great solution though since tags are search time changes and will automatically be retroactive.

Re: Summary view host name instead of ip address

stefanlasiewski — Wed, 30 Nov 2011 01:27:49 GMT

The URL above no longer exists. Is there a newer URL?