Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Change IPs in syslog to names in csv file?

lazermissile
New Member
‎05-04-2012 11:38 AM

I have been trying to learn where to begin with this, but I'm still struggling three days later, so I figured I would ask here.

I am trying to display OSPF and PIM neighbor tables that I have sent to syslog, but instead of displaying them with their IP addresses, I would like to use names I have in a csv file.

format of the csv file I think should be something like this:

ip, hostname
43.25.65.3, Router1
10.127.99.213, Router2
76.99.5.244, Router3
172.16.1.1, Router4

This is the syslog output from the router as it's shown in Splunk:

May  3 16:18:07 172.16.8.81 451: *Mar  1 00:32:24.691: %HA_EM-6-LOG: sys: 

May  3 16:18:07 172.16.8.81 452: 

May  3 16:18:07 172.16.8.81 453: Neighbor ID     Pri   State           Dead Time   Address         Interface

May  3 16:18:07 172.16.8.81 454: 43.25.65.3        1   FULL/BDR        00:00:35    172.16.1.1      FastEthernet0/0

May  3 16:18:07 172.16.8.81 455: 76.99.5.244       1   FULL/BDR        00:00:38    10.127.99.213   FastEthernet1/0

I don't know how to go about actually applying this stuff to the syslog output. If anyone can suggest a simple way to accomplish this I would be so happy!

If there is an easier way to do this (No DHCP) then please suggest. Thanks!

Tags (4)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-04-2012 04:19 PM

The easiest solution may not be a "Splunk" one at all. Put your router IPs in /etc/hosts on the machine receiving the syslog. Let it write the proper host names into the events as they are received.

I am making an assumption here that you are using syslog-ng or rsyslog or something as the UDP receiver and letting Splunk read its input files. If you're using Splunk's own UDP receiver, you may need to set:

connection_host = dns

for the appropriate stanza in inputs.conf.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎05-04-2012 01:18 PM

You'll first need to make sure that you're capturing the dotted IP address from the log lines as a field. Let's say you've set it up and have a field called host_ip. (The host field created by Splunk may or may not reflect the IP address of the router device, depending upon whether or not you have the data going over a syslog channel directly into Splunk, or whether there is a syslog receiver and Splunk Forwarder in between....)

Once you have a field containing the dotted IP, you're talking about a lookup. Use the Manager > Lookups section to first create a file (with the contents you've provided), then create a lookup definition, to be able to refer to it by name. Let's say you called the file router_ips.csv, and then created a lookup definition router_lookup to refer to that file.

Now, in the search bar, you could do: < your search > | lookup router_lookup ip AS host_ip OUTPUT hostname. At this point the hostname field would contain a string like 'Router4'.

You can further configure this lookup (again, via the Manager) to be automatic, and not require the extra "lookup" step described above.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...