I have some forwarders which are sending logs to indexers in another subnets and i have connected search head to these indexers.
Each event have the host field but not ip field. I'm looking forward to resolve ip address from these hosts. I have already found dnslookup, and metric (index=_internal component=Metric group=tcpin_connections) | stats values(hostname) as host by sourceIp).
But there are some problems, dnslookup can't resolve ip of hosts that there are sending to indexer in other subnet. In metric there are not all hosts from log. And in some case dnslookup resolve ip and metric not (what is very strange for me). I have spent several dozen of hours on this problem (which seems for me, should be realy first issue in splunk administration) and i'm realy confused about it. I'm looking for universal solution or next solution of resolving ip from host name from events. Thank you for any help
1) the CSV header matching the fields provided on the command line; 2) the host www.splunk.com and no src_ip; and 3) the src_ip 22.214.171.124 and no host.
On my test system, both the forward and reverse lookup were successful.
If the command fails or returns the wrong result, validate your host's DNS configuration, including your DNS servers, domain search list, and resolver cache if enabled.
If you're having name resolution problems with TCP or UDP inputs, i.e. you see IP addresses in the host field but expected to see host names, confirm the connection_host setting on the input. If connection_host is set to dns, Splunk uses FCrDNS to validate resolved names.