Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the easiest way to search-time transform for hostname and FQDN?

whar_garbl
Path Finder
‎07-14-2022 12:30 PM

I have historical data in Splunk where the same host may appear as either Hostname.Domain.Com or Hostname. I would like all searches that specify Hostname to also gather events for Hostname.Domain.Com without modifying any searches. I can't delete and reindex, so that's right out.

I found this post , which seems to be more or less what I want to do, but it isn't working, and I'm not sure why. It's older, so maybe the settings need to be different. 

What is the easiest way to accomplish this goal? Cheers.

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2022 02:59 PM

Transforms are applied at index time.  The solution you're pointing to is rewriting the host value when splunk is ingesting events. It shortens them host field for *.company.com before indexing themevents. With such setup all applicable events would have short names. But only the newly indexed ones of course.

As I understand your indexed field host for some of your already indexed events contains host=host1 and for some host=host1.domain.com.

And you would like to match events with host=host1.domain.com to match if a user searches for just host=host1?

That's a tough one. There is a solution but it's very ugly and I wouldn't do that if I were you - fiddling with default fields can have unforseeable results.

But anyway.

Since you want the host field to match both hostname as well as fqdn, you need to make the field multivalued in search time. To do this you have to define a calculated field named host for your sourcetype (or host) with formula

mvappend(host,mvindex(split(host,"."),0)

Hopelessly ugly hack but seems to work on my lab.

Reply

whar_garbl
Path Finder
‎07-14-2022 03:14 PM

Thank you for the detailed explanation. I'll try this in test and see how it works with my dataset.

 

I suppose it isn't the end of the world if only newly indexed events have the short name, but I know my security folks will hate that answer. It'll be irritating to go back and edit every dashboard panel deployment-wide to accommodate the two-name dichotomy for historical searches.

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2022 03:17 PM

It seems I ate one closing parenthesis ;). But you probably spotted that while testing.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...