1

About value "Platform" in lookup_hostinfo in Ipv4Address column

Recently i created a sheduled search that uses the lookup_hostinfo lookup to correlate data without hostname but with IP to uberAgent data.
Sometimes early in the morning the sheduled search have a weird behaviour and i was able to narrow it down to the lookup_hostinfo.
If the weird behaviour happens the IPv4Address column in the lookup has the value "Platform" instead of its IP and the ip <> hostname correlation dont work for that host.

Does anyone know where the value "Platform" comes from in the lookup?

4 comments

  • Avatar
    Martin Kretzschmar Official comment

    Hi Nico,

    That sounds odd.

    The lookup we ship as part of our Splunk apps does not explicitly contain a field called "Platform". Also, the field Ipv4Address should only contain valid IPv4 addresses.

    Which version of our hostinfo lookup did you use to build your scheduled search on?

    Please note, that we fixed a bug with the latest release 7.0.1.

    Splunk [I826]: fixed outdated values in lookup_hostinfo.

     Thanks, Martin

  • 0
    Avatar
    Nico Eggers

    I had a look at the savedsearch that populates the lookup and noticed that the column left to Ipv4Address is "HwModel" and that contains the value "

    VMware Virtual Platform".

    So based on that i'd guess it's something with writing to the lookup.
    for now i'll do a sheduled search watching the lookup and notify me the whole row if the Ipv4Address is "Platform" again, to see if the "Platform" value comes from the HwModel column.

    I'll update here when i get new insights/information

  • 0
    Avatar
    Nico Eggers

    ... i found out, that there is no value "Platform"
    our lookup viewer is just stupid and showed the excess of the HwModel column without hiding the vertical cell border.
    So there is just no value for Ipv4Address when the savedsearch alerts.
    I guess i'll wait for a CMDB, that way i am not limited to citrix machines for the search.

  • 0
    Avatar
    Martin Kretzschmar

    Hi Nico, 

    Thank you for sharing this update.

    I don't know the product you are using for viewing, but if there are problems with non-existent fields, you could possibly try using Splunk's fillnull command to work around this problem.

     

    Thanks, Martin

Please sign in to leave a comment.