Hello,

I will try to describe the situation first; my problem and then ask you my question :

This my architecture :

• 6 stormshield firewalls (one per remote site).
• 6 rsyslog/forwarders (one per remote site).
• The rsyslog/forwarders gather logs from /var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
• The rsyslog/forwarders send logs to indexers with sourcetype = stormshield and source=/var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
• The "host" field is the "%FROMHOST%" folder (defined by the hostname of the firewall)

My problem is :

• The "host" field is not normalized because sometime the hostname is an IP address or the DNS name.
• I can't change hostname of my firewall because lot of things related to their hostname.
• I need to use the "host" field because it it used in lot of secruity dashboards.

My question is : can I normalized the "host" field by renaming the firewalls somewhere in Splunk ? and how can I do it ?

• I want to have the "host" coresponding to my new names.
• Exemple 1 : For the firewall XX.XX.XX.1 (old "host" field) the "host" field must be ABC-001
• Exemple 2 : For XX.XX.XX.19, the "host" field must be ABC-019 instead of XX.XX.XX.19, etc.

Thanks Splunkers,

Regards.