Hi,
My Splunk-server receives syslogs from a number of devices that are not registered in reverse dns, therefore the events in Splunk shows the ipaddress, not the hostname. Is it possible to configure Splunk to use its local hosts-file to resolve the names? So that I can register all the devises in the local hosts-file to resolve the problem?
This is typically configured on the OS of the system on the order of name resolution. If you configure the following on the inputs.conf file for the syslog input:
[udp://<remote server>:<port>]
connection_host = dns
The /etc/nsswitch.conf file has the order information for name resolution. Here is an example:
hosts: dns files
The gethostbyname library will look first to resolve the name with dns and if it does not find an answer then it will look at the local /etc/hosts next.
Hope this helps.