- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Search-time transform for hostname and FQDN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the easiest way to search-time transform for hostname and FQDN?
I have historical data in Splunk where the same host may appear as either Hostname.Domain.Com or Hostname. I would like all searches that specify Hostname to also gather events for Hostname.Domain.Com without modifying any searches. I can't delete and reindex, so that's right out.
I found this post , which seems to be more or less what I want to do, but it isn't working, and I'm not sure why. It's older, so maybe the settings need to be different.
What is the easiest way to accomplish this goal? Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transforms are applied at index time. The solution you're pointing to is rewriting the host value when splunk is ingesting events. It shortens them host field for *.company.com before indexing themevents. With such setup all applicable events would have short names. But only the newly indexed ones of course.
As I understand your indexed field host for some of your already indexed events contains host=host1 and for some host=host1.domain.com.
And you would like to match events with host=host1.domain.com to match if a user searches for just host=host1?
That's a tough one. There is a solution but it's very ugly and I wouldn't do that if I were you - fiddling with default fields can have unforseeable results.
But anyway.
Since you want the host field to match both hostname as well as fqdn, you need to make the field multivalued in search time. To do this you have to define a calculated field named host for your sourcetype (or host) with formula
mvappend(host,mvindex(split(host,"."),0)
Hopelessly ugly hack but seems to work on my lab.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the detailed explanation. I'll try this in test and see how it works with my dataset.
I suppose it isn't the end of the world if only newly indexed events have the short name, but I know my security folks will hate that answer. It'll be irritating to go back and edit every dashboard panel deployment-wide to accommodate the two-name dichotomy for historical searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems I ate one closing parenthesis ;). But you probably spotted that while testing.
Splunk APM & RUM | Upcoming Planned Maintenance
Part 2: Diving Deeper With AIOps
User Groups | Upcoming Events!
