Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

dnslookup: How to change host (indextime) using dnslookup?

koshyk
Super Champion
‎10-22-2018 02:30 AM

We have few devices, which emit events as IP address. So based on a sourcetype, can we change the host (hostname) of the entire sourcetype at indextime based on dnslookup?
Any examples would be great.

Edit: forgot to mention, the data exists in file sent by Heavy Forwarder which is captured in rsyslog

Sample events . {The second field is the host-ip, but needed to do DNSlookup at indextime}

2018-10-20T13:00:00+0500  10.22.222.333  [tag1]  somepayload1
2018-10-20T13:00:00+0500  10.22.222.334  [tag2]  somepayload2

thanks in advance.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-22-2018 06:55 AM

Hi @koshyk,

As you didn't mention that how those devices are ingesting data into Splunk, if they are ingesting data directly in splunk you can look at below configuration for various Data Inputs in inputs.conf

For example: For Splunk TCP Input default configuration is IP but for TCP input default configuration is dns

[splunktcp://[<remote server>]:<port>]
connection_host = [ip|dns|none]
* For splunktcp, the 'host' or 'connection_host' will be used if the remote 
  Splunk instance does not set a host, or if the host is set to
  "<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for the IP address of the system
  sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk
  system hostname.
* Default: "ip".
0 Karma
Reply

koshyk
Super Champion
‎10-22-2018 12:11 PM

sorry mate. forgot to give an example. Yes, this is from a file itself (which have been already collected by syslog)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...