Looking to have the ip's replaced with the hostnames. Receiving the error, "The lookup table 'hosts' does not exist. It is referenced by configuration 'syslog'."
ip,name x.x.x.x,host1 y.y.y.y,host2
[syslog] lookup_table = hosts ip AS host OUTPUT name as host
[myLookup] filename = hosts.csv
I think you've got a couple of problems. Your first issue is that you need to reference the lookup name in your props.conf:
[syslog] LOOKUP-host = myLookup ip OUTPUT name
The second problem is that you're outputting host which is an existing field in Splunk. You'd be better off using name, or hostname, or some other fieldname. I assume that the ip field is some value in your syslog event, and not the ip of the host generating the syslog event. If you're just trying to get Splunk to stick the hostname instead of the IP address in the host field, then add "connection_host = dns" to the config on your TCP input processor in inputs.conf.
I would like to replace the host field in the search app that shows just the IP of each host on the main page and for each event. I would like to use a lookup table instead of dns.
I don't think you can overwrite the host field with a lookup. Take a look at this answer, it covers the same topic. If you want to replace host with something besides DNS or the IP, you'd probably want to do that when the data is indexed. Check the "Configure indexed field extraction" in the admin guide.
Great, thank you (in the solution sense, not the result sense). I didn't know this wasn't possible. Seems like it would be a nice feature to allow lookup of a table for the names to save time. DNS names for me are not the names I actually want which is part of the problem I suppose. Thank you.
How are you receiving the data? Are you using forwarders? You could always specify the hostname in your inputs.conf on the forwarder with something else (the "host=" stanza).