Getting Data In

Can local hosts-file be used instead of reverse DNS

thoree
Explorer

Hi,

My Splunk-server receives syslogs from a number of devices that are not registered in reverse dns, therefore the events in Splunk shows the ipaddress, not the hostname. Is it possible to configure Splunk to use its local hosts-file to resolve the names? So that I can register all the devises in the local hosts-file to resolve the problem?

Tags (2)
0 Karma

tgow
Splunk Employee
Splunk Employee

This is typically configured on the OS of the system on the order of name resolution. If you configure the following on the inputs.conf file for the syslog input:

[udp://<remote server>:<port>]
connection_host = dns

The /etc/nsswitch.conf file has the order information for name resolution. Here is an example:

hosts: dns files

The gethostbyname library will look first to resolve the name with dns and if it does not find an answer then it will look at the local /etc/hosts next.

Hope this helps.

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...