- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to change the IP address to the nam...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to change the IP address to the name of the switch?
We send syslog direct from switches to the Splunk indexer.
Is it possible to change the IP address to the name of the switch?
from:
Apr 25 10:32:09 10.11.12.13 458104: 5y14w: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
to:
Apr 25 10:32:09 Switch1 458104: 5y14w: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
In inputs.conf I have these to options:
connection_host = Switch1
host = Switch1
Unfortunately, we have no connection to a DNS-Server.
Maybe there is a way over /etc/hosts if no Splunk solution is possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have csv file with IP and corresponding switch name?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I don't. But I could create that.
What are the steps after that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use that as lookup. Refer below docs:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a solution without such a lookup?
Because the users want to enter "host=Switch1" and not "host=10.11.12.13 | lookup.... "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do that lookup automatically using props and transforms.
But not at indextime, which is usually where you set the host field value.
This is just one of those reasons why it is a bad idea to send syslog data straight to Splunk. If you would put a syslog server in between, you could have that do DNS lookups and write the logs with a proper hostname.
Alternatively, if you get the syslog data really directly from the switch (so no aggregator / load balancer in between), you could try using:
connection_host = dns
in your inputs.conf.
PS: if you assign sourcetype=syslog to this, you might be looking at the syslog host extraction, that overwrites the host field you set in inputs.conf with the content of the event.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
