Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure automatic hostname assignment using a lookup table?

ricotries
Communicator
‎07-25-2020 10:12 AM

I have a syslog server receiving data from devices outside of my network and these are transmitted to my Splunk Indexer using a Universal Forwarder. All my configuration to get the data into the indexer is working perfectly fine. I have configuration in inputs.conf in the forwarder to assign the host field from host_segment since the syslog server stores logs in directories named after the source IP address of the message. How can I then change the host field at index-time using a lookup table so the events are stored with the hostname and not the IP address?

For example, I have a .csv file that looks like this:

host ip 
host1 10.10.1.1
host2 10.10.1.2

So I can then perform the following search:

index=idx host=host1

The key point is, I want to store the event with the host field set to the hostname, I don't want to do an automatic search-time lookup.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-25-2020 11:29 AM

Hi

Unfortunately you could use lookup tables only in search not indexing time.
If you want convert IP -> host name, then you probably need to do scripted input or first change that directory / file name to host name before ingesting that data. 

Probably there are some 3td party tools (like cribil?) which can do it?

r. Ismo

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Professionals: Build Resilience and Visibility with These .conf25 ...

  If you're focused on performance, availability, and full-stack visibility, the Observability track at ...

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...
Top