We have few devices, which emit events as IP address. So based on a sourcetype, can we change the host (hostname) of the entire sourcetype at indextime based on dnslookup?
Any examples would be great.
Edit: forgot to mention, the data exists in file sent by Heavy Forwarder which is captured in rsyslog
Sample events . {The second field is the host-ip, but needed to do DNSlookup at indextime}
2018-10-20T13:00:00+0500 10.22.222.333 [tag1] somepayload1
2018-10-20T13:00:00+0500 10.22.222.334 [tag2] somepayload2
thanks in advance.
Hi @koshyk,
As you didn't mention that how those devices are ingesting data into Splunk, if they are ingesting data directly in splunk you can look at below configuration for various Data Inputs in inputs.conf
For example: For Splunk TCP Input default configuration is IP
but for TCP input default configuration is dns
[splunktcp://[<remote server>]:<port>]
connection_host = [ip|dns|none]
* For splunktcp, the 'host' or 'connection_host' will be used if the remote
Splunk instance does not set a host, or if the host is set to
"<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for the IP address of the system
sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk
system hostname.
* Default: "ip".
sorry mate. forgot to give an example. Yes, this is from a file itself (which have been already collected by syslog)