Splunk Enterprise

How to configure automatic hostname assignment using a lookup table?

ricotries
Communicator

I have a syslog server receiving data from devices outside of my network and these are transmitted to my Splunk Indexer using a Universal Forwarder. All my configuration to get the data into the indexer is working perfectly fine. I have configuration in inputs.conf in the forwarder to assign the host field from host_segment since the syslog server stores logs in directories named after the source IP address of the message. How can I then change the host field at index-time using a lookup table so the events are stored with the hostname and not the IP address?

For example, I have a .csv file that looks like this:

host ip 
host1 10.10.1.1
host2 10.10.1.2

So I can then perform the following search:

index=idx host=host1

The key point is, I want to store the event with the host field set to the hostname, I don't want to do an automatic search-time lookup.

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Unfortunately you could use lookup tables only in search not indexing time.
If you want convert IP -> host name, then you probably need to do scripted input or first change that directory / file name to host name before ingesting that data. 

Probably there are some 3td party tools (like cribil?) which can do it?

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...