Hello,
I will try to describe the situation first; my problem and then ask you my question :
This my architecture :
My problem is :
My question is : can I normalized the "host" field by renaming the firewalls somewhere in Splunk ? and how can I do it ?
Thanks Splunkers,
Regards.
For the moment I found a solution :
I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).
So I declared the lookup/fields in the props.conf and the transforms.conf.
Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.
Thanks for reply.
For the moment I found a solution :
I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).
So I declared the lookup/fields in the props.conf and the transforms.conf.
Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.
Thanks for reply.