Getting Data In
Highlighted

Automatic lookup to match hostnames with and without FQDN

Communicator

Hello, I need to generate an automatic lookup to match certain hosts for a project i'm working on.

the thing is, I have a list of server in my scope, but this list contains sometimes only hostnames, and other times the full FQDN, and that may differ from what I have on my host field on splunk metadata.

example of the csv:

"host" ,"description"
host1, dboraclehost1
host2, dboraclehost2
host3.mydomain.net, dboraclehost3
host4, "host4"
host5.dathost,net, "thehost5"

and in splunk, on my host field I may have:
host1.mydomain.net
host5
host3
host4,thedomain.com

If that can be achievable via UI would be the best, but I can still do it with the .conf files.

best regards!

0 Karma
Highlighted

Re: Automatic lookup to match hostnames with and without FQDN

Ultra Champion

You need your lookup to contain the wildcard (and in the correct place) so your lookup needs to look like this:

host, description
host1*, dboraclehost1
host2*, dboraclehost2
host3*, dboraclehost3
host4*, host4description
host5*, host5description

Then you need to create a lookup definition. You can do this via the UI
Give it a name, and select file-based and select your lookup.csv
- make sure to tick advanced options, and specify WILDCARD(host) under match type.

You can then search like:
<your search>|lookup host_description_definition host OUTPUT description

And make it automatic if you wish

View solution in original post

0 Karma
Highlighted

Re: Automatic lookup to match hostnames with and without FQDN

Communicator

thanks, I also made a report which formats the hostnames to hostname*

this includes hosts which cannot be resolved, ill host the query in case someone needs something similar:

(this works only if a previous unformatted lookup is present. this report formats it)

#lookup filler hosts
| inputlookup preliminar_hosts.csv
| rex field=host "(?<host>\d{1,}\.\d{1,}\.\d{1,}\.\d{1,}|[^.]+)"  
| eval host=(host + "*"), is_in_scope=1
| outputlookup processed_hosts.csv

then with processedhosts.csv, I made an automatic lookup which delivers the description and isin_scope fields for every match.

thanks a lot!!

0 Karma