Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- IP to Name
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IP to Name
vistasyslog
New Member
01-11-2013
08:19 AM
I cannot get the hostnames in place of IP's on the summary screen. I need to get it done through the .csv file option and not DNS.
.CSV file contents reads :
IP,Name
10.12.0.132,AUS-BROCADE-10G-2
10.12.100.9,AUS-VG1
10.12.100.8,AUS-VG2
Transforms.conf :
[hostnames]
filename = hostnames.csv
props.conf :
[access_combined]
Lookup-hostnames = Hostnames ip AS IP OUTPUT Name
Can you tell me if there is something that I need to change.
I have added the .csv file as a lookup table, pointed a lookup definition to it.
When I perform this search :
sourcetype="syslog" | lookup hostnames host AS IP OUTPUT Name
I get the following error :
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table
The .csv file is in the system/lookups folder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
01-11-2013
08:21 AM
You have the fields in the wrong order in your lookup command, they should be the other way around:
... | lookup hostnames IP AS host OUTPUT Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
01-11-2013
10:56 AM
It's not "Lookup", it's LOOKUP, all caps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vistasyslog
New Member
01-11-2013
08:53 AM
My entire props.conf reads :
[source::udp:514]
TRANSFORMS-changesourcetype = riverbed_steelhead, sourcetype_cisco_asa
[access_combined]
Lookup-hostnames = hostnames ip AS IP OUTPUTNEW Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vistasyslog
New Member
01-11-2013
08:43 AM
I tried this command., I still get the same error.
I also get the error :
Possible Typo in the first stanza [access_combined] in props.conf file.
Related Topics
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
