Hello, total noob looking for some help. I installed edge/stream on Rocky 8. It is running, but I am having trouble figuring out how to manipulate data in a source.The source is syslogng, destination is splunk. I want to take the data from the source, do a reverse lookup of the IP that sent the data, then replace the system name or add a field with the result from the reverse lookup.The reasoning behind this is that the syslog senders are part of a virtualization cluster, but each cluster re-uses the name(s) "node(X)" internally, so within splunk there's duplicate entries from each cluster. A reverse lookup should give us unique names for splunk
Question
Looking to enrich my data by doing a reverse ip lookup and setting that as the source
So you are sending syslog-ng to Stream and then to Splunk? There is a DNS Lookup function you can add inside a pipeline and then provide the field you want to reverse DNS lookup on
Quick version:Create a syslog source (Data -> Sources)Create a pipeline with the functions you needCreate a route referencing the __inputId for your syslog source
probably best to visit our https://sandbox.cribl.io|sandboxes though, and take a few 30 min courses to familiarize yourself
check internal fields for the connecting ip
I was messing with the DNS lookup, after doing a data capture I couldn't find a field that had the IP address
0
Since the one field with info has extraneous data, I'm guessing I'll need to regex it first to filter just the IP? Would that be correct?
evalip = `__srcIpPort.split('|')[1]`
badabing!
That's just good stuff
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.