Topics

| pdf version

About the Splunk Admin Manual

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Extract host per event

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Extract host per event

Use these instructions if you want to override the default host name that is assigned to your events.


Configuration

Configure a dynamically extracted host name for any source or sourcetype via transforms.conf and props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

transforms.conf

Add your custom stanza to $SPLUNK_HOME/etc/system/local/transforms.conf. Configure your stanza as follows: 

[$UNIQUE_STANZA_NAME]
DEST_KEY = MetaData:Host
REGEX = $YOUR_REGEX
FORMAT = host::$1

Fill in the stanza name and the regex fields with the correct values for your data.

Leave DEST_KEY = MetaData:Host to write a value to the host:: field. FORMAT = host::$1 writes the REGEX value into the host:: field.

Note: Name your stanza with a unique identifier (so it is not confused with a stanza in $SPLUNK_HOME/etc/system/default/transforms.conf).

props.conf

Create a stanza in $SPLUNK_HOME/etc/system/local/props.conf to map the transforms.conf regex to the source type in props.conf. 

[<spec>]
TRANSFORMS-$name=$UNIQUE_STANZA_NAME

<spec> can be:

  1. <sourcetype>, the sourcetype of an event
  2. host::<host>, where <host> is the host for an event
  3. source::<source>, where <source> is the source for an event

$name is whatever unique identifier you want to give to your transform.

$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.

Note: Optionally add any other valid attribute/value pairs from props.conf when defining your stanza. This assigns the attributes to the <spec> you have set. For example, if you have custom line-breaking rules to set for the same <spec>, append those attributes to your stanza.


Example

The following logs contain the host in the third position. 

41602046:53 accepted pearl
41602050:29 accepted swan
41602052:17 accepted pearl

Create a regex to extract the host value and add it to a new stanza in $SPLUNK_HOME/etc/system/local/transforms.conf: 

[station]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

Now, link your transforms.conf stanza to $SPLUNK_HOME/etc/system/local/props.conf so your transforms are called. For example, the above transform works with the following stanza in props.conf: 

[source::.../hatch.log]
TRANSFORMS-dharma=station
SHOULD_LINEMERGE = false

The above stanza has the additional attribute/value pair SHOULD_LINEMERGE = false. This specifies that Splunk should create new events at a newline.

Note: Optionally add any additional attribute/value pairs from props.conf as needed.

The events now appear in SplunkWeb as the following:

Image:30_admin11_overridehost-hostextract.jpg

Retrieved from "http://www.splunk.com/base/Documentation/3.3.3/Admin/ExtractHostPerEvent"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.