How to configure automatic hostname assignment usi...

ricotries · ‎07-25-2020

I have a syslog server receiving data from devices outside of my network and these are transmitted to my Splunk Indexer using a Universal Forwarder. All my configuration to get the data into the indexer is working perfectly fine. I have configuration in inputs.conf in the forwarder to assign the host field from host_segment since the syslog server stores logs in directories named after the source IP address of the message. How can I then change the host field at index-time using a lookup table so the events are stored with the hostname and not the IP address?

For example, I have a .csv file that looks like this:

host ip 
host1 10.10.1.1
host2 10.10.1.2

So I can then perform the following search:

index=idx host=host1

The key point is, I want to store the event with the host field set to the hostname, I don't want to do an automatic search-time lookup.

isoutamo · ‎07-25-2020

Hi

Unfortunately you could use lookup tables only in search not indexing time.
If you want convert IP -> host name, then you probably need to do scripted input or first change that directory / file name to host name before ingesting that data.

Probably there are some 3td party tools (like cribil?) which can do it?

r. Ismo

How to configure automatic hostname assignment using a lookup table?

configuration

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI