I have been trying to learn where to begin with this, but I'm still struggling three days later, so I figured I would ask here.
I am trying to display OSPF and PIM neighbor tables that I have sent to syslog, but instead of displaying them with their IP addresses, I would like to use names I have in a csv file.
format of the csv file I think should be something like this:
ip, hostname 184.108.40.206, Router1 10.127.99.213, Router2 220.127.116.11, Router3 172.16.1.1, Router4
This is the syslog output from the router as it's shown in Splunk:
May 3 16:18:07 172.16.8.81 451: *Mar 1 00:32:24.691: %HA_EM-6-LOG: sys: May 3 16:18:07 172.16.8.81 452: May 3 16:18:07 172.16.8.81 453: Neighbor ID Pri State Dead Time Address Interface May 3 16:18:07 172.16.8.81 454: 18.104.22.168 1 FULL/BDR 00:00:35 172.16.1.1 FastEthernet0/0 May 3 16:18:07 172.16.8.81 455: 22.214.171.124 1 FULL/BDR 00:00:38 10.127.99.213 FastEthernet1/0
I don't know how to go about actually applying this stuff to the syslog output. If anyone can suggest a simple way to accomplish this I would be so happy!
If there is an easier way to do this (No DHCP) then please suggest. Thanks!
The easiest solution may not be a "Splunk" one at all. Put your router IPs in /etc/hosts on the machine receiving the syslog. Let it write the proper host names into the events as they are received.
I am making an assumption here that you are using syslog-ng or rsyslog or something as the UDP receiver and letting Splunk read its input files. If you're using Splunk's own UDP receiver, you may need to set:
connection_host = dns
for the appropriate stanza in inputs.conf.
You'll first need to make sure that you're capturing the dotted IP address from the log lines as a field. Let's say you've set it up and have a field called host_ip. (The host field created by Splunk may or may not reflect the IP address of the router device, depending upon whether or not you have the data going over a syslog channel directly into Splunk, or whether there is a syslog receiver and Splunk Forwarder in between....)
Once you have a field containing the dotted IP, you're talking about a lookup. Use the Manager > Lookups section to first create a file (with the contents you've provided), then create a lookup definition, to be able to refer to it by name. Let's say you called the file router_ips.csv, and then created a lookup definition router_lookup to refer to that file.
Now, in the search bar, you could do:
< your search > | lookup router_lookup ip AS host_ip OUTPUT hostname. At this point the hostname field would contain a string like 'Router4'.
You can further configure this lookup (again, via the Manager) to be automatic, and not require the extra "lookup" step described above.