topic Re: Various hostnames for a single server in Splunk Search

Various hostnames for a single server

remy06 — Wed, 05 May 2010 10:58:13 GMT

Hi,

Currently on our Splunk server, under Search "Summary" I have various hostnames registered under "Hosts" section for a single server that is sending logs via syslog.

Eg. Hosts(1) ...... xx1 ... | 23456 xx1.abc ... | 24587 xx1.abc.com ... | 12645

which in fact they all refer to the same server (xx1,which is the latest hostname used) with the same IP.

My configuration under Manager > Data Inputs > UDP > 514 > Host is set as "DNS"

1) How do I amend the various hostnames to reflect as one instead? 2) If I set the data input to "IP" instead of "DNS",it should have 1 entry(IP) now instead of various entries(DNS hostnames) for xx1 server? 3) How do I correct the current Summary page to reflect the hosts properly?

Thanks.

Re: Various hostnames for a single server

jrodman — Wed, 05 May 2010 12:23:56 GMT

For syslog, we pull the hostname out of the text of the syslog events.

Options:

Investigate syslog data to see if the events hav varying forms of the host name
Disable the extraction of the hostname from the event for your data, or some subset of that data. There's a venerable blogpost about this here http://blogs.splunk.com/2008/04/16/overriding-default-syslog-host-extraction/

Re: Various hostnames for a single server

chris — Wed, 05 May 2010 15:48:37 GMT

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

Re: Various hostnames for a single server

remy06 — Wed, 12 May 2010 17:23:17 GMT

Hi, It may not be syslog only..can be from windows servers via light forwarding as well..

under Summary > All indexed data > Hosts I can have the following:

a1.windows a2.windows.com .. x1.linux x2.linux.abc

where a1.windows and a2.windows.com both refer to the same machine with same ip.So are x1.linux and x2.linux.abc both refers to the same linux machine.

I am trying some of the links provided. I like to classify them under a single hostname, in the above eg..'AA' for 2 windows server and 'XX' for the 2 linux server.

Thanks..