- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Various hostnames for a single server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Currently on our Splunk server, under Search "Summary" I have various hostnames registered under "Hosts" section for a single server that is sending logs via syslog.
Eg. Hosts(1) ...... xx1 ... | 23456 xx1.abc ... | 24587 xx1.abc.com ... | 12645
which in fact they all refer to the same server (xx1,which is the latest hostname used) with the same IP.
My configuration under Manager > Data Inputs > UDP > 514 > Host is set as "DNS"
1) How do I amend the various hostnames to reflect as one instead? 2) If I set the data input to "IP" instead of "DNS",it should have 1 entry(IP) now instead of various entries(DNS hostnames) for xx1 server? 3) How do I correct the current Summary page to reflect the hosts properly?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups
http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources
There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, It may not be syslog only..can be from windows servers via light forwarding as well..
under Summary > All indexed data > Hosts I can have the following:
a1.windows a2.windows.com .. x1.linux x2.linux.abc
where a1.windows and a2.windows.com both refer to the same machine with same ip.So are x1.linux and x2.linux.abc both refers to the same linux machine.
I am trying some of the links provided. I like to classify them under a single hostname, in the above eg..'AA' for 2 windows server and 'XX' for the 2 linux server.
Thanks..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups
http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources
There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For syslog, we pull the hostname out of the text of the syslog events.
Options:
- Investigate syslog data to see if the events hav varying forms of the host name
- Disable the extraction of the hostname from the event for your data, or some subset of that data. There's a venerable blogpost about this here http://blogs.splunk.com/2008/04/16/overriding-default-syslog-host-extraction/
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
