Splunk Search

Various hostnames for a single server

remy06
Contributor

Hi,

Currently on our Splunk server, under Search "Summary" I have various hostnames registered under "Hosts" section for a single server that is sending logs via syslog.

Eg. Hosts(1) ...... xx1 ... | 23456 xx1.abc ... | 24587 xx1.abc.com ... | 12645

which in fact they all refer to the same server (xx1,which is the latest hostname used) with the same IP.

My configuration under Manager > Data Inputs > UDP > 514 > Host is set as "DNS"

1) How do I amend the various hostnames to reflect as one instead? 2) If I set the data input to "IP" instead of "DNS",it should have 1 entry(IP) now instead of various entries(DNS hostnames) for xx1 server? 3) How do I correct the current Summary page to reflect the hosts properly?

Thanks.

1 Solution

chris
Motivator

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

View solution in original post

0 Karma

remy06
Contributor

Hi, It may not be syslog only..can be from windows servers via light forwarding as well..

under Summary > All indexed data > Hosts I can have the following:

a1.windows a2.windows.com .. x1.linux x2.linux.abc

where a1.windows and a2.windows.com both refer to the same machine with same ip.So are x1.linux and x2.linux.abc both refers to the same linux machine.

I am trying some of the links provided. I like to classify them under a single hostname, in the above eg..'AA' for 2 windows server and 'XX' for the 2 linux server.

Thanks..

chris
Motivator

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

0 Karma

jrodman
Splunk Employee
Splunk Employee

For syslog, we pull the hostname out of the text of the syslog events.

Options:

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...