Splunk Search

Various hostnames for a single server

Contributor

Hi,

Currently on our Splunk server, under Search "Summary" I have various hostnames registered under "Hosts" section for a single server that is sending logs via syslog.

Eg. Hosts(1) ...... xx1 ... | 23456 xx1.abc ... | 24587 xx1.abc.com ... | 12645

which in fact they all refer to the same server (xx1,which is the latest hostname used) with the same IP.

My configuration under Manager > Data Inputs > UDP > 514 > Host is set as "DNS"

1) How do I amend the various hostnames to reflect as one instead? 2) If I set the data input to "IP" instead of "DNS",it should have 1 entry(IP) now instead of various entries(DNS hostnames) for xx1 server? 3) How do I correct the current Summary page to reflect the hosts properly?

Thanks.

1 Solution

Motivator

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

View solution in original post

0 Karma

Contributor

Hi, It may not be syslog only..can be from windows servers via light forwarding as well..

under Summary > All indexed data > Hosts I can have the following:

a1.windows a2.windows.com .. x1.linux x2.linux.abc

where a1.windows and a2.windows.com both refer to the same machine with same ip.So are x1.linux and x2.linux.abc both refers to the same linux machine.

I am trying some of the links provided. I like to classify them under a single hostname, in the above eg..'AA' for 2 windows server and 'XX' for the 2 linux server.

Thanks..

Motivator

We have several DNS aliases for our hosts so we added a lookup which adds an extra field that contains the same alias for all the different variations that appear in the host field. We use a csv file dumped from an inventory db, but you can also use a python script to do DNS or DB (or whatever) lookups

http://www.splunk.com/base/Documentation/4.1/Knowledge/Addfieldsfromexternaldatasources

There is a sample script in the lookups directory which may do just what you want. This blog post describes how to use it: http://blogs.splunk.com/2009/12/15/reverse-dns-lookups-for-host-entries/

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

For syslog, we pull the hostname out of the text of the syslog events.

Options:

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!