Splunk Search
Highlighted

Hostname Table Lookup, Not Working, What's the issue?

Path Finder

Looking to have the ip's replaced with the hostnames. Receiving the error, "The lookup table 'hosts' does not exist. It is referenced by configuration 'syslog'."

Current config:
/apps/search/lookups/hosts.csv:

ip,name  
x.x.x.x,host1  
y.y.y.y,host2

/apps/search/local/props.conf:

[syslog]  
lookup_table = hosts ip AS host OUTPUT name as host  

/apps/search/local/transforms.conf:

[myLookup]  
filename = hosts.csv  

Any thoughts?
Thanks!

Tags (2)
Highlighted

Re: Hostname Table Lookup, Not Working, What's the issue?

Motivator

I think you've got a couple of problems. Your first issue is that you need to reference the lookup name in your props.conf:

[syslog]
LOOKUP-host = myLookup ip OUTPUT name

The second problem is that you're outputting host which is an existing field in Splunk. You'd be better off using name, or hostname, or some other fieldname. I assume that the ip field is some value in your syslog event, and not the ip of the host generating the syslog event. If you're just trying to get Splunk to stick the hostname instead of the IP address in the host field, then add "connection_host = dns" to the config on your TCP input processor in inputs.conf.

Highlighted

Re: Hostname Table Lookup, Not Working, What's the issue?

Path Finder

I would like to replace the host field in the search app that shows just the IP of each host on the main page and for each event. I would like to use a lookup table instead of dns.

0 Karma
Highlighted

Re: Hostname Table Lookup, Not Working, What's the issue?

Motivator

I don't think you can overwrite the host field with a lookup. Take a look at this answer, it covers the same topic. If you want to replace host with something besides DNS or the IP, you'd probably want to do that when the data is indexed. Check the "Configure indexed field extraction" in the admin guide.

http://answers.splunk.com/questions/1884/lookups-using-them-to-replace-the-host-field

0 Karma
Highlighted

Re: Hostname Table Lookup, Not Working, What's the issue?

Path Finder

Great, thank you (in the solution sense, not the result sense). I didn't know this wasn't possible. Seems like it would be a nice feature to allow lookup of a table for the names to save time. DNS names for me are not the names I actually want which is part of the problem I suppose. Thank you.

0 Karma
Highlighted

Re: Hostname Table Lookup, Not Working, What's the issue?

Motivator

How are you receiving the data? Are you using forwarders? You could always specify the hostname in your inputs.conf on the forwarder with something else (the "host=" stanza).

0 Karma

Re: Hostname Table Lookup, Not Working, What's the issue?

Motivator

@ drewbfl, you should take a look at tagging the hosts instead of renaming them. Easier and more portable. http://www.splunk.com/base/Documentation/latest/Knowledge/Tagthehostfield

0 Karma