We recently set up splunk to start accepting snmp logs from our switches and routers, which is working out nicely. However on the dashboard under the hosts table it lists the ip address instead of a hostname. I was wondering if there is a way to set the hostname or possibly rename it, so on the dashboard we can see the name of it instead of the ip address.
Which is the file to edit please?
How are you getting the SNMP logs? Straight from a network port, opened by splunk? If that's the case, you can set it to resolve ips to their dns names.
In your inputs.conf [tcp://:
connection_host = dns
below is what I added to the props.conf and transforms.conf
TRANSFORMS-host_rename = host_rename_HostA
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::HostB
Is the host field that is showing up in the events the same IP address? Your telling splunk to use that transform on the host field containing that IP. Also, not sure that your regex matching everything is going to work. You'll need to pull it out of the event and then rename using the appropriate variable.
Thanks for the quick response, however neither method worked for changing the host name being displayed.
I went to C:\Program Files\Splunk\etc\system\local and altered inputs.conf by adding line:
host = NAME
and then stopped/started splunk, however the name was still being displayed the same.
So next I tried the props/transforms method. Went to C:\Program Files\Splunk\etc\system\default and altered the props.conf and transforms.conf by adding the sections mentioned in the article linked (Copy/Pasted them and just changed them to have my ip address and name I wanted). Then again stopped/started splunk and the name is still displaying the same. Not sure if I'm missing something here or what.
You can set the hostname with the 'host' variable in inputs.conf where the input is defined. You can also rewrite it with props/transforms.
#******* # GENERAL SETTINGS: # The following attribute/value pairs are valid for all input types (except file # system change monitor, which is described in a separate section in this file). # You must first enter a stanza header in square brackets, specifying the input type. # See further down in this file for examples. # Then, use any of the following attribute/value pairs. #******* host = <string> * Sets the host key/field to a static value for this stanza. * Primarily used to control the host field, which will be used for events coming in via this input stanza. * Detail: Sets the host key's initial value. The key is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. * As a convenience, the chosen string is prepended with 'host::'. * If not set explicitly, this defaults to the IP address or fully qualified domain name of the host where the data originated.
To use props/transforms, see the following: