Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the easiest way to search-time transform for hostname and FQDN?

whar_garbl
Path Finder
‎07-14-2022 12:30 PM

I have historical data in Splunk where the same host may appear as either Hostname.Domain.Com or Hostname. I would like all searches that specify Hostname to also gather events for Hostname.Domain.Com without modifying any searches. I can't delete and reindex, so that's right out.

I found this post , which seems to be more or less what I want to do, but it isn't working, and I'm not sure why. It's older, so maybe the settings need to be different. 

What is the easiest way to accomplish this goal? Cheers.

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2022 02:59 PM

Transforms are applied at index time.  The solution you're pointing to is rewriting the host value when splunk is ingesting events. It shortens them host field for *.company.com before indexing themevents. With such setup all applicable events would have short names. But only the newly indexed ones of course.

As I understand your indexed field host for some of your already indexed events contains host=host1 and for some host=host1.domain.com.

And you would like to match events with host=host1.domain.com to match if a user searches for just host=host1?

That's a tough one. There is a solution but it's very ugly and I wouldn't do that if I were you - fiddling with default fields can have unforseeable results.

But anyway.

Since you want the host field to match both hostname as well as fqdn, you need to make the field multivalued in search time. To do this you have to define a calculated field named host for your sourcetype (or host) with formula

mvappend(host,mvindex(split(host,"."),0)

Hopelessly ugly hack but seems to work on my lab.

Reply

whar_garbl
Path Finder
‎07-14-2022 03:14 PM

Thank you for the detailed explanation. I'll try this in test and see how it works with my dataset.

 

I suppose it isn't the end of the world if only newly indexed events have the short name, but I know my security folks will hate that answer. It'll be irritating to go back and edit every dashboard panel deployment-wide to accommodate the two-name dichotomy for historical searches.

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2022 03:17 PM

It seems I ate one closing parenthesis ;). But you probably spotted that while testing.

Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...