Splunk Search

Remove hostname from the metadata.

Communicator

After initial installation of the forwarder when the Splunk service is started the forwarder reports by Ip Address.After we configure the hostn name to FQDN it starts reporting by FQDN.However in the metadata shows there are two hosts one by IP and the other by FQDN. How do I delete the IP from the metadata or the Summary Index.

Tags (1)
1 Solution

Super Champion

Removing anything from your metadata rather complicated. To do it correctly you have to re-index your data. Which, like it sounds, is a lot of work.

If your real issue issue with summary indexing, you can always just delete the old events. Then you can modify your saved searches to add a replace command to re-map your ip to the desired hostnames. For example: | replace 172.16.1.1 with server1.example.com 172.16.1.2 with server2.example.com ... in host, and then re-run your summary index searches with the fill_summary_index.py script.

Another variation would be to use the lookup feature rather than replace command, which would make sense if you had a large number of hosts. There's a small gotcha with this approach, see this post for a work around.

Also, make sure you read up on the delete search command before you try this. See Remove indexed data from Splunk in the online docs.

Another really simple way to deal with this is to simply tag your host values. Then you can search with tag::host=tagname.

View solution in original post

Super Champion

Removing anything from your metadata rather complicated. To do it correctly you have to re-index your data. Which, like it sounds, is a lot of work.

If your real issue issue with summary indexing, you can always just delete the old events. Then you can modify your saved searches to add a replace command to re-map your ip to the desired hostnames. For example: | replace 172.16.1.1 with server1.example.com 172.16.1.2 with server2.example.com ... in host, and then re-run your summary index searches with the fill_summary_index.py script.

Another variation would be to use the lookup feature rather than replace command, which would make sense if you had a large number of hosts. There's a small gotcha with this approach, see this post for a work around.

Also, make sure you read up on the delete search command before you try this. See Remove indexed data from Splunk in the online docs.

Another really simple way to deal with this is to simply tag your host values. Then you can search with tag::host=tagname.

View solution in original post

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!