Getting Data In

Change IPs in syslog to names in csv file?

New Member

I have been trying to learn where to begin with this, but I'm still struggling three days later, so I figured I would ask here.

I am trying to display OSPF and PIM neighbor tables that I have sent to syslog, but instead of displaying them with their IP addresses, I would like to use names I have in a csv file.

format of the csv file I think should be something like this:

ip, hostname
43.25.65.3, Router1
10.127.99.213, Router2
76.99.5.244, Router3
172.16.1.1, Router4

This is the syslog output from the router as it's shown in Splunk:

May  3 16:18:07 172.16.8.81 451: *Mar  1 00:32:24.691: %HA_EM-6-LOG: sys: 

May  3 16:18:07 172.16.8.81 452: 

May  3 16:18:07 172.16.8.81 453: Neighbor ID     Pri   State           Dead Time   Address         Interface

May  3 16:18:07 172.16.8.81 454: 43.25.65.3        1   FULL/BDR        00:00:35    172.16.1.1      FastEthernet0/0

May  3 16:18:07 172.16.8.81 455: 76.99.5.244       1   FULL/BDR        00:00:38    10.127.99.213   FastEthernet1/0

I don't know how to go about actually applying this stuff to the syslog output. If anyone can suggest a simple way to accomplish this I would be so happy!

If there is an easier way to do this (No DHCP) then please suggest. Thanks!

Tags (4)
0 Karma

SplunkTrust
SplunkTrust

The easiest solution may not be a "Splunk" one at all. Put your router IPs in /etc/hosts on the machine receiving the syslog. Let it write the proper host names into the events as they are received.

I am making an assumption here that you are using syslog-ng or rsyslog or something as the UDP receiver and letting Splunk read its input files. If you're using Splunk's own UDP receiver, you may need to set:

connection_host = dns

for the appropriate stanza in inputs.conf.

0 Karma

Splunk Employee
Splunk Employee

You'll first need to make sure that you're capturing the dotted IP address from the log lines as a field. Let's say you've set it up and have a field called host_ip. (The host field created by Splunk may or may not reflect the IP address of the router device, depending upon whether or not you have the data going over a syslog channel directly into Splunk, or whether there is a syslog receiver and Splunk Forwarder in between....)

Once you have a field containing the dotted IP, you're talking about a lookup. Use the Manager > Lookups section to first create a file (with the contents you've provided), then create a lookup definition, to be able to refer to it by name. Let's say you called the file router_ips.csv, and then created a lookup definition router_lookup to refer to that file.

Now, in the search bar, you could do: < your search > | lookup router_lookup ip AS host_ip OUTPUT hostname. At this point the hostname field would contain a string like 'Router4'.

You can further configure this lookup (again, via the Manager) to be automatic, and not require the extra "lookup" step described above.

0 Karma