In this recipe, you will learn how to add hostnames to IP addresses in the log data by leveraging external lookups. There are many times when a hostname value can be more valuable than an IP address and can provide an easier identifier around what clients are connecting to your application. Many ISP-based connections can be very identifiable by the format of their hostnames, which can help you identify potential malicious activity.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with navigating the Splunk user interface.
Follow the steps in this recipe to lookup hostnames for given IP addresses:
On your Splunk server, create a new
transforms.conf
file at$SPLUNK_HOME/etc/apps/operational_intelligence/local/transforms.conf
. If one already exists, then you can just edit the existing file.Add the following text...