Hi,

My forwarder is forwarding messages from a private subnet to our splunk indexer.

Here's an example of what I'm getting:

3:57:04.000 PM  
Mar  5 15:57:04 10.150.XXX.XXX logmgr: ID = 516 : Tue Mar  5 15:53:59 2013 : Audit : Log : minor : root : Set : object = "/SP/alertmgmt/rules/testalert" : value = "true" : success

    host=10.150.XXX.XXX   Options|  
    sourcetype=udp:514   Options|  
    source=udp:514   Options

What I'd like is for the hostname to be resolved.

On the forwader I can resolve the IP address to a hostname:

$ host 10.150.XXX.XXX

XXX.XXX.150.10.in-addr.arpa domain name pointer XXXXX-ilom.university.ac.uk.

I had a look at the splunk documentation and tried the instructions here to try and get around the problem:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources

In summary I made the following changes to the quoted files ensured there was also a copy of each in /opt/splunk/etc/apps/SplunkForwarder/local and restarted splunk but it didn't work.

In /opt/splunk/etc/system/local/props.conf
Added the 2 bottom lines to the access_combined section:

[access_combined]
pulldown_type = true 
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
LOOKUP-dns = dnsLookup host OUTPUT ip AS clientip
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname

In /opt/splunk/etc/system/local/transforms.conf
Changed to the following 2 lines in the dns_lookup section

external_cmd = external_lookup.py host ip
fields_list = host, ip

Does anyone have any ideas what I'm doing wrong?

Many Thanks, Maria