Solved: Summary view host name instead of ip address

kmille2 · ‎09-02-2010

How can a device name be displayed for the IP address in the summary search window?

DrewO · ‎09-02-2010

Gerald is correct. By default network inputs assign the sending device/server's ip address as the host name, you can switch it so that Splunk will do a reverse DNS lookup on the IP and grab that as the host name. If you are using Splunk 4.1.x you can make this change in the Splunk Manager, previous versions require you to make the change directly to inputs.conf. (See the docs http://www.splunk.com/base/Documentation/latest/Admin/Monitornetworkports for details.)

Once you make the change as new data comes in the host name will appear in the summary view. However, since the host field is an indexed field your change will not be retroactive, your old data will still have IPs for host names. You can either just wait for the older data to age out of your system and the IP hosts will disappear, or you could delete the older data manually once it's lost it relevance.

View solution in original post

DrewO · ‎09-02-2010

Gerald is correct. By default network inputs assign the sending device/server's ip address as the host name, you can switch it so that Splunk will do a reverse DNS lookup on the IP and grab that as the host name. If you are using Splunk 4.1.x you can make this change in the Splunk Manager, previous versions require you to make the change directly to inputs.conf. (See the docs http://www.splunk.com/base/Documentation/latest/Admin/Monitornetworkports for details.)

Once you make the change as new data comes in the host name will appear in the summary view. However, since the host field is an indexed field your change will not be retroactive, your old data will still have IPs for host names. You can either just wait for the older data to age out of your system and the IP hosts will disappear, or you could delete the older data manually once it's lost it relevance.

stefanlasiewski · ‎11-29-2011

The URL above no longer exists. Is there a newer URL?

DrewO · ‎09-21-2010

Yeah, without a DNS entry there's no easy way. Using a tag is a great solution though since tags are search time changes and will automatically be retroactive.

kmille2 · ‎09-10-2010

Thanks for the info on your posts; the devices sending Syslog to our Splunk are not in our DNS. So I have settled for adding a descriptive tag to the IP address.

gkanapathy · ‎09-02-2010

I'm going to guess that you've got UDP syslog data coming in to Splunk, in which case you need to enable the

connection_host = dns

in the inputs.conf. I think there is also a setting for this in the GUI for the UDP input.

kmille2 · ‎09-10-2010

For now all the devices are sending syslog and none of them are in our DNS servers.

southeringtonp · ‎09-02-2010

The cleanest approach would be to try to find out why the host field is being set to the IP address instead of a hostname on input and fix it there. That would only apply to new events going forward though.

If you want to change the display, you will need to modify the dashboard.xml in the search app. It's driven by this search:

| metadata type=hosts

so you would need to modify it to use a lookup table. Using the nslookup command may also be possible, but I believe that command needs raw events to operate on, and would not work with the output of the metadata command.

Summary view host name instead of ip address

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor