Re: How do you replace ip address with name?

papalmi · ‎07-21-2015

We're looking to substitute the host field, which is an IP address, with the device name that corresponds to the IP address. I'm trying to do this using a .csv file and have the output automatically changed. I've resolved all the errors but I haven't been successful yet. Help would be appreciated. Thanks

martin_mueller · ‎07-21-2015

If you have a .csv like this

ip,device
1.2.3.4,foo

then you can define that as a lookup table, and specify an automatic lookup for your sourcetype using ip as the input field and device as the output field - with potentially some renaming if the field isn't called ip in your data. Then Splunk will automagically add a device field to your events.

papalmi · ‎07-21-2015

note that |inputlookup .csv does output the contents of the .csv file correctly

martin_mueller · ‎07-21-2015

Did you check the box to overwrite field values?

Note, you may not be able to output to the same field name as your input.

papalmi · ‎07-21-2015

Yes, overwrite is checked. I'll try different field names and see what happens.

Thanks

papalmi · ‎07-21-2015

Hi Martin, thanks for the quick replay. Perhaps it's the input/output fields where the issue lies. The .csv file has 2 columns, clientip and clienthost. I'm trying to get the contents of clienthost (which is the device name) to replace the search output field host (which is the ip address). This is what's configured under Lookups> Automatic lookups>

Lookup input fields
clientip = host

Lookup output fields
clienthost = host

Thanks

How do you replace ip address with name?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk