All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to insert host name into event

benspader
Explorer
‎08-08-2013 07:51 AM

I have a real need to insert a hostname into an event at collection\index time not at search time. Seeing that most of the IP's that I'm looking to resolve to hostnames change very frequently I need to capture the hostname and include it in the event when it is indexed. Does anyone know a way to do that? I looked at these articles but they don't seem to be helpful to do it at index time.

So basically a quick reverse DNS lookup and insert it into the event as a "hostname" field would be perfect. This will allow me to follow specific hosts and have information on every IP that host had.

  1. http://splunk-base.splunk.com/answers/1884/lookups-using-them-to-replace-the-host-field
  2. http://splunk-base.splunk.com/answers/27840/ip-address-vs-hostname
  3. http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/
  4. http://splunk-base.splunk.com/answers/61853/resolve-ip-address

Thanks,
-Ben

Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎08-18-2015 12:00 PM

This is a 2-step process, because there are limited things you can do at index time and because we want to do as little as possible during index time for optimal performance. So without further ado, here goes:

  1. Rewrite the host field using the source IP in your event --> transforms.conf:
    REGEX = ^\w{3}\s+\d+\s+[\d:]{8}\s+(\S+) DEST_KEY = MetaData:Host FORMAT = host::$1
    1. Create a lookup of ips to hostnames using a saved search to be run at scheduled intervals: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources?r=sear...
0 Karma
Reply

LewisWheeler
Communicator
‎05-03-2016 03:41 PM

I tried this method, doesn't take into consideration dynamic IP addressing (DHCP Scope) - I need the dns entry to be added at the time of index and remain fixed. Anyone else found a way around this? I assume it is possible to add a field at index time from a external dns lookup but haven't found a way to implement it....

0 Karma
Reply

tlmayes
Contributor
‎07-14-2016 09:44 AM

Did you ever get this resolved? Have the same challenge and am not finding a solution

0 Karma
Reply

LewisWheeler
Communicator
‎07-15-2016 01:15 AM

Nope - I was told its not possible. Only way to do it would be to get the forwarder to grab the host name and send it across as part of the event. Didn't end up doing it that way though.

0 Karma
Reply

cespinoz
New Member
‎08-17-2015 05:10 PM

Hi, did you find out how to do this? I'm having the same requirement.

0 Karma
Reply

krugger
Communicator
‎08-08-2013 07:56 AM

In inputs.conf using connection_host = dns doesn't work for you?

This should set the host to the reverse DNS of the computer sending you data.

0 Karma
Reply

benspader
Explorer
‎08-08-2013 08:01 AM

But doesn't that just give me the hostname of the computer that is sending me data? I would like hostname of the src_IP seen within the event, this will be different than the computer\appliance sending me the data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...