We send syslog direct from switches to the Splunk indexer.
Is it possible to change the IP address to the name of the switch?
from:
Apr 25 10:32:09 10.11.12.13 458104: 5y14w: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
to:
Apr 25 10:32:09 Switch1 458104: 5y14w: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
In inputs.conf I have these to options:
connection_host = Switch1
host = Switch1
Unfortunately, we have no connection to a DNS-Server.
Maybe there is a way over /etc/hosts if no Splunk solution is possible.
Do you have csv file with IP and corresponding switch name?
No I don't. But I could create that.
What are the steps after that?
You can use that as lookup. Refer below docs:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Lookup
Is there a solution without such a lookup?
Because the users want to enter "host=Switch1" and not "host=10.11.12.13 | lookup.... "
You can do that lookup automatically using props and transforms.
But not at indextime, which is usually where you set the host field value.
This is just one of those reasons why it is a bad idea to send syslog data straight to Splunk. If you would put a syslog server in between, you could have that do DNS lookups and write the logs with a proper hostname.
Alternatively, if you get the syslog data really directly from the switch (so no aggregator / load balancer in between), you could try using:
connection_host = dns
in your inputs.conf.
PS: if you assign sourcetype=syslog to this, you might be looking at the syslog host extraction, that overwrites the host field you set in inputs.conf with the content of the event.