Hello,
New Splunk user here. I have a syslog input consuming messages from a bunch of different hosts. Most PTR records resolve just fine and the host is correctly assigned. But I have a couple of IPs whose PTR records do not resolve, and for reasons outside my control, I cannot fix them.
For these hosts, Splunk is populating the host field with the IP address. I'd like to change that to be a statically assigned name that I choose. I've been doing some reading and it seems there a quite a variety of techniques to do this, but I'm not sure which one is appropriate for this case. Ultimately my goal is to simply find these events using `host=`.
Is the props/transforms approach the right one here? If so, is there a generally-accepted regex to use for this case? Since Splunk has already correctly picked out the IP address, I'm not sure if 'assigning host based on event content' is applicable here.
↧