From e8500c53ab82283715b34400a43fee11e501dcc3 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 7 Aug 2020 17:28:46 -0400
Subject: [PATCH] [fix] lookup host by sourceip (#621)

* [fix] lookup host by sourceip

* Update test_common.py
---
 .../etc/conf.d/conflib/_splunk/fix_dns.conf   |  2 +-
 tests/test_common.py                          | 65 -------------------
 2 files changed, 1 insertion(+), 66 deletions(-)

diff --git a/package/etc/conf.d/conflib/_splunk/fix_dns.conf b/package/etc/conf.d/conflib/_splunk/fix_dns.conf
index 28005f5..cc10ead 100644
--- a/package/etc/conf.d/conflib/_splunk/fix_dns.conf
+++ b/package/etc/conf.d/conflib/_splunk/fix_dns.conf
@@ -45,7 +45,7 @@ parser p_fix_host_resolver {
 
 parser p_add_context_host {
     add-contextual-data(
-        selector("${HOST}"),
+        selector("${SOURCEIP}"),
         database("conf.d/local/context/host.csv"),
     );
 };
diff --git a/tests/test_common.py b/tests/test_common.py
index b0f3314..483f543 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -102,71 +102,6 @@ def test_fallback(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     assert resultCount == 1
 
 
-#
-
-
-def test_fix_dns_context(record_property, setup_wordlist, setup_splunk, setup_sc4s):
-    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
-    pid = random.randint(1000, 32000)
-
-    dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
-
-    # Tune time functions
-    epoch = epoch[:-7]
-
-    mt = env.from_string(
-        "{{ mark }} {{ bsd }} 169.254.0.2 dnstest[{{ pid }}]: {{ host }}\n"
-    )
-    message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid)
-
-    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
-
-    st = env.from_string(
-        'search _time={{ epoch }} host=foo.example index=osnix "[{{ pid }}]" {{ host }} sourcetype="nix:syslog"'
-    )
-    search = st.render(epoch=epoch, pid=pid, host=host)
-
-    resultCount, eventCount = splunk_single(setup_splunk, search)
-
-    record_property("host", host)
-    record_property("resultCount", resultCount)
-    record_property("message", message)
-
-    assert resultCount == 1
-
-
-def test_fix_dns_notfound(record_property, setup_wordlist, setup_splunk, setup_sc4s):
-    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
-    pid = random.randint(1000, 32000)
-
-    dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
-
-    # Tune time functions
-    epoch = epoch[:-7]
-
-    mt = env.from_string(
-        "{{ mark }} {{ bsd }} 169.254.0.1 dnstest[{{ pid }}]: {{ host }}\n"
-    )
-    message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid)
-
-    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
-
-    st = env.from_string(
-        'search _time={{ epoch }} host=169.254.0.1 index=osnix "[{{ pid }}]" {{ host }} sourcetype="nix:syslog"'
-    )
-    search = st.render(epoch=epoch, pid=pid, host=host)
-
-    resultCount, eventCount = splunk_single(setup_splunk, search)
-
-    record_property("host", host)
-    record_property("resultCount", resultCount)
-    record_property("message", message)
-
-    assert resultCount == 1
-
-
 def test_metrics(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 
     st = env.from_string(