Hi,
Currently on our Splunk server, under Search "Summary" I have various hostnames registered under "Hosts" section for a single server that is sending logs via syslog.
Eg. Hosts(1) ...... xx1 ... | 23456 xx1.abc ... | 24587 xx1.abc.com ... | 12645
which in fact they all refer to the same server (xx1,which is the latest hostname used) with the same IP.
My configuration under Manager > Data Inputs > UDP > 514 > Host is set as "DNS"
1) How do I amend the various hostnames to reflect as one instead? 2) If I set the data input to "IP" instead of "DNS",it should have 1 entry(IP) now instead of various entries(DNS hostnames) for xx1 server? 3) How do I correct the current Summary page to reflect the hosts properly?
Thanks.
We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups
http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources
There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/
Hi, It may not be syslog only..can be from windows servers via light forwarding as well..
under Summary > All indexed data > Hosts I can have the following:
a1.windows a2.windows.com .. x1.linux x2.linux.abc
where a1.windows and a2.windows.com both refer to the same machine with same ip.So are x1.linux and x2.linux.abc both refers to the same linux machine.
I am trying some of the links provided. I like to classify them under a single hostname, in the above eg..'AA' for 2 windows server and 'XX' for the 2 linux server.
Thanks..
We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups
http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources
There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/
For syslog, we pull the hostname out of the text of the syslog events.
Options: