Getting Data In

Rename/Set Host Name

Explorer

We recently set up splunk to start accepting snmp logs from our switches and routers, which is working out nicely. However on the dashboard under the hosts table it lists the ip address instead of a hostname. I was wondering if there is a way to set the hostname or possibly rename it, so on the dashboard we can see the name of it instead of the ip address.

Thank You

New Member

Which is the file to edit please?

/mnt/data/splunk/etc/apps/introspection_generator_addon/default/inputs.conf
/mnt/data/splunk/etc/apps/sample_app/default/inputs.conf
/mnt/data/splunk/etc/apps/search/local/inputs.conf
/mnt/data/splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
/mnt/data/splunk/etc/apps/Splunk_TA_nix/default/inputs.conf
/mnt/data/splunk/etc/modules/distributedDeployment/classes/deployable/inputs.conf
/mnt/data/splunk/etc/system/default/inputs.conf
/mnt/data/splunk/etc/system/local/inputs.conf
/mnt/data/splunk/etc/system/README/inputs.conf.example
/mnt/data/splunk/etc/system/README/inputs.conf.spec

0 Karma

How are you getting the SNMP logs? Straight from a network port, opened by splunk? If that's the case, you can set it to resolve ips to their dns names.

In your inputs.conf [tcp://:] stanza, set:

connection_host = dns

0 Karma

Path Finder

Simple question ... do the IPs for the hosts' sources resolve in DNS to the reverse name you'd like to see?

0 Karma

Explorer

below is what I added to the props.conf and transforms.conf

props.conf

[host::IP_Address]

TRANSFORMS-host_rename = host_rename_HostA

transforms.conf:

[host_rename_HostA]

REGEX = .

DEST_KEY = MetaData:Host

FORMAT = host::HostB

Splunk Employee
Splunk Employee

Is the host field that is showing up in the events the same IP address? Your telling splunk to use that transform on the host field containing that IP. Also, not sure that your regex matching everything is going to work. You'll need to pull it out of the event and then rename using the appropriate variable.

0 Karma

Explorer

Thanks for the quick response, however neither method worked for changing the host name being displayed.

I went to C:\Program Files\Splunk\etc\system\local and altered inputs.conf by adding line:
host = NAME

and then stopped/started splunk, however the name was still being displayed the same.

So next I tried the props/transforms method. Went to C:\Program Files\Splunk\etc\system\default and altered the props.conf and transforms.conf by adding the sections mentioned in the article linked (Copy/Pasted them and just changed them to have my ip address and name I wanted). Then again stopped/started splunk and the name is still displaying the same. Not sure if I'm missing something here or what.

Thanks

0 Karma

Splunk Employee
Splunk Employee

You can set the hostname with the 'host' variable in inputs.conf where the input is defined. You can also rewrite it with props/transforms.

#*******
# GENERAL SETTINGS:
# The following attribute/value pairs are valid for all input types (except file 
# system change monitor, which is described in a separate section in this file).
# You must first enter a stanza header in square brackets, specifying the input type. 
# See further down in this file for examples.   
# Then, use any of the following attribute/value pairs.
#*******

host = <string>
* Sets the host key/field to a static value for this stanza.
* Primarily used to control the host field, which will be used for events coming in
  via this input stanza.
* Detail: Sets the host key's initial value. The key is used during parsing/indexing, 
  in particular to set the host field. It is also the host field used at search time.
* As a convenience, the chosen string is prepended with 'host::'.
* If not set explicitly, this defaults to the IP address or fully qualified
  domain name of the host where the data originated.

To use props/transforms, see the following:

http://splunk-base.splunk.com/answers/1673/hostname-rename-using-transforms

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!