Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Various hostnames for a single server

remy06
Contributor
‎05-05-2010 03:58 AM

Hi,

Currently on our Splunk server, under Search "Summary" I have various hostnames registered under "Hosts" section for a single server that is sending logs via syslog.

Eg. Hosts(1) ...... xx1 ... | 23456 xx1.abc ... | 24587 xx1.abc.com ... | 12645

which in fact they all refer to the same server (xx1,which is the latest hostname used) with the same IP.

My configuration under Manager > Data Inputs > UDP > 514 > Host is set as "DNS"

1) How do I amend the various hostnames to reflect as one instead? 2) If I set the data input to "IP" instead of "DNS",it should have 1 entry(IP) now instead of various entries(DNS hostnames) for xx1 server? 3) How do I correct the current Summary page to reflect the hosts properly?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎05-05-2010 08:48 AM

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

View solution in original post

0 Karma
Reply
Solved! Jump to solution

remy06
Contributor
‎05-12-2010 10:23 AM

Hi, It may not be syslog only..can be from windows servers via light forwarding as well..

under Summary > All indexed data > Hosts I can have the following:

a1.windows a2.windows.com .. x1.linux x2.linux.abc

where a1.windows and a2.windows.com both refer to the same machine with same ip.So are x1.linux and x2.linux.abc both refers to the same linux machine.

I am trying some of the links provided. I like to classify them under a single hostname, in the above eg..'AA' for 2 windows server and 'XX' for the 2 linux server.

Thanks..

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎05-05-2010 08:48 AM

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎05-05-2010 05:23 AM

For syslog, we pull the hostname out of the text of the syslog events.

Options:

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...