Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Various hostnames for a single server

remy06
Contributor
‎05-05-2010 03:58 AM

Hi,

Currently on our Splunk server, under Search "Summary" I have various hostnames registered under "Hosts" section for a single server that is sending logs via syslog.

Eg. Hosts(1) ...... xx1 ... | 23456 xx1.abc ... | 24587 xx1.abc.com ... | 12645

which in fact they all refer to the same server (xx1,which is the latest hostname used) with the same IP.

My configuration under Manager > Data Inputs > UDP > 514 > Host is set as "DNS"

1) How do I amend the various hostnames to reflect as one instead? 2) If I set the data input to "IP" instead of "DNS",it should have 1 entry(IP) now instead of various entries(DNS hostnames) for xx1 server? 3) How do I correct the current Summary page to reflect the hosts properly?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎05-05-2010 08:48 AM

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

View solution in original post

0 Karma
Reply
Solved! Jump to solution

remy06
Contributor
‎05-12-2010 10:23 AM

Hi, It may not be syslog only..can be from windows servers via light forwarding as well..

under Summary > All indexed data > Hosts I can have the following:

a1.windows a2.windows.com .. x1.linux x2.linux.abc

where a1.windows and a2.windows.com both refer to the same machine with same ip.So are x1.linux and x2.linux.abc both refers to the same linux machine.

I am trying some of the links provided. I like to classify them under a single hostname, in the above eg..'AA' for 2 windows server and 'XX' for the 2 linux server.

Thanks..

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎05-05-2010 08:48 AM

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎05-05-2010 05:23 AM

For syslog, we pull the hostname out of the text of the syslog events.

Options:

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...