topic Re: Adding domain name to hostnames in Splunk Search

Adding domain name to hostnames

msupino — Thu, 12 Aug 2010 19:04:07 GMT

I have multiple LightForwarded, in different domains, who have similar host names (machines inside one domain are the same as machines in another domain),

how can i configure each splunk LightForwarder to add the domain name of any event it sends to the Central splunk ?

Re: Adding domain name to hostnames

ftk — Thu, 12 Aug 2010 22:50:59 GMT

You can edit the hostname assigned to events from a host by editing the host= value in your $SPLUNK_HOME/etc/system/local/inputs.conf. Just change it from

host=hostname

host=hostname.domain.com

Re: Adding domain name to hostnames

msupino — Thu, 12 Aug 2010 23:29:07 GMT

this will change the local events, but events from the syslog, for example, will not be changed by this, which is fine, as they might come from other machines in the same domain.

so, i want to add .something.com to all hostname evetns, is that possible somehow ?

Re: Adding domain name to hostnames

ftk — Fri, 13 Aug 2010 00:03:07 GMT

I'm sorry, but i'm not sure what you're trying to get at here. Your question indicated you're using a forwarder setup rather than syslog. How are you sending your syslog to splunk? Via a direct network input in splunk or via syslog-ng and then indexing the resulting logs?

Re: Adding domain name to hostnames

msupino — Fri, 13 Aug 2010 01:22:01 GMT

syslog has info from local and remove machines

the *nix app is fixed by host= entry
but, the same host writes things to syslog,and other nodes writes to syslog through syslogd, these entires dont have the domaine, for example,

Aug 12 14:20:06 xen00 last message repeated 3 times
this doesnt have the domain name, so the same machine, from different SplunkLightForwarders in different locations will be indexed under the same hostname.

i want splunk in each location to add a domain name to the hostname it sees in syslog.

Re: Adding domain name to hostnames

msupino — Fri, 13 Aug 2010 01:22:40 GMT

just to be clear, *nix is parsing /var/log/syslog

Re: Adding domain name to hostnames

Lowell — Fri, 13 Aug 2010 22:11:11 GMT

I recommend using a transformer for adding a static domain name to your host field. I've previously posted some config examples (linke below) that works for the syslog (and various derived) sourcetypes. The example shown is smart enough not to accidentally append your domain to an IP address.

Please see my answer here:

hostname rename using TRANSFORMS

Re: Adding domain name to hostnames

Lowell — Fri, 13 Aug 2010 22:16:00 GMT

Splunk has a transformer that extracts "host" from syslog sourcetypes, and that will override any given host=myhostname that you setup in inputs.conf. Just for the record, I do think setting your hostname in this way is also a good idea, but I suggest doing so at the top of system/local/inputs.conf (as ftk suggests) rather than in the unix app--this way the setting is fully global and not limited to a single app context.

Re: Adding domain name to hostnames

msupino — Sat, 14 Aug 2010 01:13:51 GMT

will this work on a LightForwarder ?

Re: Adding domain name to hostnames

Lowell — Sat, 14 Aug 2010 04:23:00 GMT

I'm not 100% sure, you can try it. Worst case scenario is that you have to put it on the indexer. I think this also depends on your Splunk version, I think 4.0 does more on light forwarder than was handled by the 3.x light forwarders.

Re: Adding domain name to hostnames

msupino — Mon, 28 Sep 2020 09:15:54 GMT

i looked at the example above, and see :

[syslog_add_mfpsdotcom]
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Host
REGEX = host::([A-Za-z][-_A-Za-z0-9]*[A-Za-z0-9])$
FORMAT = host::$1.my-domain-name.com

[syslog]
TRANSFORMS-zz_fix_host = syslog_add_fqdn

[linux_messages_syslog]
TRANSFORMS-zz_fix_host = syslog_add_fqdn

[linux_secure]
TRANSFORMS-zz_fix_host = syslog_add_fqdn

[postfix_syslog]
TRANSFORMS-zz_fix_host = syslog_add_fqdn

[sendmail_syslog]
TRANSFORMS-zz_fix_host = syslog_add_fqdn

Re: Adding domain name to hostnames

msupino — Sun, 15 Aug 2010 23:29:05 GMT

and have a few quesions,
first, can this be debuged somehow ?
or log showing whats happening ?
also, why do the entries inside [] dont match ? should they ?

Re: Adding domain name to hostnames

Lowell — Mon, 16 Aug 2010 20:04:03 GMT

Note that I had a typo on that page, which has been fixed now. The transformer should have been named syslog_add_fqdn. Hopefully that was obvious from the context, but it was a mistake which has been corrected now.

Re: Adding domain name to hostnames

Lowell — Mon, 16 Aug 2010 20:08:36 GMT

I don't know of any way to really "debug" this type of activity other than to actually try it. Hopefully fixing the transformer name will resolve the issue.