topic Re: Search results - How to prevent DNS resolution in Splunk Search

How to prevent DNS resolution?

willspk — Tue, 21 Feb 2023 17:55:36 GMT

Hey all,

Our raw syslogs are showing IP addresses of sourced events, but the results in Splunk is changing the IP addresses to their respective hostnames/FQDNs.

If I want to see the results without the name resolution how can I do this? I just need to see the IP addresses, as per the actual raw syslog.

Thanks,

Will

Re: Search results - How to prevent DNS resolution

PaulPanther — Tue, 21 Feb 2023 11:04:06 GMT

Hi, I guess you're receiving syslog data directly on a data collection node like a heavy forwarder if yes you could configure following parameter in your inputs.conf

connection_host = [ip|dns|none] * How the network input sets the host field for the events it generates. * A value of "ip" sets the host to the IP address of the system sending the data. * A value of "dns" sets the host to the reverse DNS entry for the IP address of the system that sends the data. For this to work correctly, set the forward DNS lookup to match the reverse DNS lookup in your DNS configuration. * A value of "none" leaves the host as specified in inputs.conf, typically the hostname of the system running Splunk software. * Default: dns

inputs.conf - Splunk Documentation

Re: Search results - How to prevent DNS resolution

PickleRick — Tue, 21 Feb 2023 11:34:19 GMT

What do you mean by "the results in Splunk is changing the IP addresses to their respective hostnames/FQDNs"? Where?

Most probably you mistake the metadata field associated with an event with data contained in the event.

Re: Search results - How to prevent DNS resolution

willspk — Tue, 21 Feb 2023 14:34:40 GMT

Yea, what we're using for Syslog collection is doing the name resolution. Not Splunk. I swear I deleted this as soon as I realised my mistake!

Thanks for the input nonetheless.