Auto host resolving in splunk using python

This only works in 2.0.x
Ok so I’ve had a couple of people ask me how to resovle the ip addresses in their syslog files to their hostnames in splunk.
There’s no way to do this just by tweaking a config variable .. we need to dig a little deeper under the surface. It’s actually pretty easy to get splunk to call out to python during event processing so I’ve used that functionality to solve this problem.

Note that this will negatively impact indexing performance but it should work until we get this behavior baked into splunk.

First up I’ve created a python script that calls socket.gethostbyaddr to resolve the hosts. It will also cache the results so that the performance hit for dns misses is reduced.
So copy and paste the following into your favorite editor and save it to <SPLUNK_HOME>lib/python2.4/site-packages/splunk/ . This directory is where the dynamic loaded python will look for scripts; the filename will be referenced later in a config change.

#Copyright (C) 2006 Splunk Inc. All Rights Reserved. This work contains trade
#secrets and confidential material of Splunk Inc., and its use or disclosure in
#whole or in part without the express written permission of Splunk Inc. is prohibited.

from pipeline_data import PipelineDataWrapper #This is a virtual module/class that gets inserted into the python namespace at runtime by splunk
import traceback
import socket

#Set global variables
HOST_KEY = "MetaData:Host"

HOST_RESOLVE_MAP = {} #cache so we don't have to call gethostbyaddr ( expensive ) every event

def resolveHost( pdata, confDictString ):

        host = pdata.get(HOST_KEY)

        resolvedHostName = None

        if host.startswith("host::") :
            host = host[6:]

        if host in HOST_RESOLVE_MAP:
            resolvedHostName = HOST_RESOLVE_MAP[ host ]

        if not resolvedHostName:
                resolved = socket.gethostbyaddr(host)
                resolvedHostName = resolved[0]
                HOST_RESOLVE_MAP[ host ] = resolvedHostName
                HOST_RESOLVE_MAP[ host ] = host
                print "Could not resolve " + host
                return 1

        if resolvedHostName :
            pdata.put( HOST_KEY, "host::"+resolvedHostName )

        return 1    

        print "EXCEPTION !!"
        return -1

Ok now open your <SPLUNK_HOME>/etc/myinstall/splunkd.xml and insert the following chunk of xml between the diskusageprocessor and the bytequotaprocessor in the indexerpipe pipeline :

               <processor name="hostnameresolver" plugin="pythonprocessor">

Ok now fire up splunk and you should start seeing your hosts getting resolved. Note that this will negatively impact performance but it should work until we get this behavior baked into splunk.

Post a Comment

Your email is never published nor shared. Required fields are marked *


By clicking "Submit" button below, I hereby certify that I am not (a) a citizen or permanent resident of any country on which the United States has embargoed goods, technology and/or services (e.g., Cuba, Iran, North Korea, Sudan, Syria, or Crimea), and (b) on any of the relevant U.S. Government Lists of prohibited or restricted persons, including but not limited to the Treasury Department's List of Specially Designated Nationals, and the Commerce Department's List of Denied Persons or Entity List, and that my use of Splunk products and services is in compliance with the applicable U.S. export control and economic sanctions laws and regulations. For further information on the export controls and sanctions laws see, and