I have a syslog server receiving data from devices outside of my network and these are transmitted to my Splunk Indexer using a Universal Forwarder. All my configuration to get the data into the indexer is working perfectly fine. I have configuration in inputs.conf in the forwarder to assign the host field from host_segment since the syslog server stores logs in directories named after the source IP address of the message. How can I then change the host field at index-time using a lookup table so the events are stored with the hostname and not the IP address?
For example, I have a .csv file that looks like this:
host ip
host1 10.10.1.1
host2 10.10.1.2
So I can then perform the following search:
index=idx host=host1
The key point is, I want to store the event with the host field set to the hostname, I don't want to do an automatic search-time lookup.
Hi
Unfortunately you could use lookup tables only in search not indexing time.
If you want convert IP -> host name, then you probably need to do scripted input or first change that directory / file name to host name before ingesting that data.
Probably there are some 3td party tools (like cribil?) which can do it?
r. Ismo