How can a device name be displayed for the IP address in the summary search window?
Gerald is correct. By default network inputs assign the sending device/server's ip address as the host name, you can switch it so that Splunk will do a reverse DNS lookup on the IP and grab that as the host name. If you are using Splunk 4.1.x you can make this change in the Splunk Manager, previous versions require you to make the change directly to inputs.conf. (See the docs http://www.splunk.com/base/Documentation/latest/Admin/Monitornetworkports for details.)
Once you make the change as new data comes in the host name will appear in the summary view. However, since the host field is an indexed field your change will not be retroactive, your old data will still have IPs for host names. You can either just wait for the older data to age out of your system and the IP hosts will disappear, or you could delete the older data manually once it's lost it relevance.
Gerald is correct. By default network inputs assign the sending device/server's ip address as the host name, you can switch it so that Splunk will do a reverse DNS lookup on the IP and grab that as the host name. If you are using Splunk 4.1.x you can make this change in the Splunk Manager, previous versions require you to make the change directly to inputs.conf. (See the docs http://www.splunk.com/base/Documentation/latest/Admin/Monitornetworkports for details.)
Once you make the change as new data comes in the host name will appear in the summary view. However, since the host field is an indexed field your change will not be retroactive, your old data will still have IPs for host names. You can either just wait for the older data to age out of your system and the IP hosts will disappear, or you could delete the older data manually once it's lost it relevance.
The URL above no longer exists. Is there a newer URL?
Yeah, without a DNS entry there's no easy way. Using a tag is a great solution though since tags are search time changes and will automatically be retroactive.
Thanks for the info on your posts; the devices sending Syslog to our Splunk are not in our DNS. So I have settled for adding a descriptive tag to the IP address.
I'm going to guess that you've got UDP syslog data coming in to Splunk, in which case you need to enable the
connection_host = dns
in the inputs.conf. I think there is also a setting for this in the GUI for the UDP input.
For now all the devices are sending syslog and none of them are in our DNS servers.
The cleanest approach would be to try to find out why the host field is being set to the IP address instead of a hostname on input and fix it there. That would only apply to new events going forward though.
If you want to change the display, you will need to modify the dashboard.xml in the search app. It's driven by this search:
| metadata type=hosts
so you would need to modify it to use a lookup table. Using the nslookup command may also be possible, but I believe that command needs raw events to operate on, and would not work with the output of the metadata command.