Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hostname Table Lookup, Not Working, What's the issue?

drewbfl
Path Finder
‎09-09-2010 09:50 PM

Looking to have the ip's replaced with the hostnames. Receiving the error, "The lookup table 'hosts' does not exist. It is referenced by configuration 'syslog'."

Current config:
/apps/search/lookups/hosts.csv: 

ip,name  
x.x.x.x,host1  
y.y.y.y,host2

/apps/search/local/props.conf: 

[syslog]  
lookup_table = hosts ip AS host OUTPUT name as host

/apps/search/local/transforms.conf: 

[myLookup]  
filename = hosts.csv

Any thoughts?
Thanks!

Tags (2)
Reply

Jeremiah
Motivator
‎09-09-2010 10:59 PM

I think you've got a couple of problems. Your first issue is that you need to reference the lookup name in your props.conf:

[syslog]
LOOKUP-host = myLookup ip OUTPUT name

The second problem is that you're outputting host which is an existing field in Splunk. You'd be better off using name, or hostname, or some other fieldname. I assume that the ip field is some value in your syslog event, and not the ip of the host generating the syslog event. If you're just trying to get Splunk to stick the hostname instead of the IP address in the host field, then add "connection_host = dns" to the config on your TCP input processor in inputs.conf.

Reply

ftk
Motivator
‎12-03-2010 02:15 PM

@ drewbfl, you should take a look at tagging the hosts instead of renaming them. Easier and more portable. http://www.splunk.com/base/Documentation/latest/Knowledge/Tagthehostfield

0 Karma
Reply

Jeremiah
Motivator
‎09-17-2010 11:28 PM

How are you receiving the data? Are you using forwarders? You could always specify the hostname in your inputs.conf on the forwarder with something else (the "host=" stanza).

0 Karma
Reply

drewbfl
Path Finder
‎09-17-2010 02:16 PM

Great, thank you (in the solution sense, not the result sense). I didn't know this wasn't possible. Seems like it would be a nice feature to allow lookup of a table for the names to save time. DNS names for me are not the names I actually want which is part of the problem I suppose. Thank you.

0 Karma
Reply

Jeremiah
Motivator
‎09-14-2010 05:52 PM

I don't think you can overwrite the host field with a lookup. Take a look at this answer, it covers the same topic. If you want to replace host with something besides DNS or the IP, you'd probably want to do that when the data is indexed. Check the "Configure indexed field extraction" in the admin guide.

http://answers.splunk.com/questions/1884/lookups-using-them-to-replace-the-host-field

0 Karma
Reply

drewbfl
Path Finder
‎09-10-2010 02:44 PM

I would like to replace the host field in the search app that shows just the IP of each host on the main page and for each event. I would like to use a lookup table instead of dns.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...