Hi,
My forwarder is forwarding messages from a private subnet to our splunk indexer.
Here's an example of what I'm getting:
3:57:04.000 PM
Mar 5 15:57:04 10.150.XXX.XXX logmgr: ID = 516 : Tue Mar 5 15:53:59 2013 : Audit : Log : minor : root : Set : object = "/SP/alertmgmt/rules/testalert" : value = "true" : success
host=10.150.XXX.XXX Options|
sourcetype=udp:514 Options|
source=udp:514 Options
What I'd like is for the hostname to be resolved.
On the forwader I can resolve the IP address to a hostname:
$ host 10.150.XXX.XXX
XXX.XXX.150.10.in-addr.arpa domain name pointer XXXXX-ilom.university.ac.uk.
I had a look at the splunk documentation and tried the instructions here to try and get around the problem:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources
In summary I made the following changes to the quoted files ensured there was also a copy of each in /opt/splunk/etc/apps/SplunkForwarder/local and restarted splunk but it didn't work.
In /opt/splunk/etc/system/local/props.conf
Added the 2 bottom lines to the access_combined section:
[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
LOOKUP-dns = dnsLookup host OUTPUT ip AS clientip
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname
In /opt/splunk/etc/system/local/transforms.conf
Changed to the following 2 lines in the dns_lookup section
external_cmd = external_lookup.py host ip
fields_list = host, ip
Does anyone have any ideas what I'm doing wrong?
Many Thanks, Maria
... View more