This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Use these instructions if you want to explicitly set a host value for all data coming in via a specific configured input. Set host statically for every event in the same input, or dynamically with regex or segment on the full path of the source. To assign a different host for different sources or sourcetypes in the same input, extract host per event.
This method assigns the same host for every event for the input.
Also, this will only impact new data coming in via the input. If you need to correct the host displayed in Splunk Web for data that has already been indexed, you will need to tag hosts instead.
Set host whenever you add a data input through the Data Inputs section of Splunk Web's Admin interface.
Choose Constant value to assign a static value as host for each event that comes from your data source. Enter the value for host in the DNS name or IP address box.
Edit inputs.conf to specify a host value. Include a host = attribute within the appropriate stanza in $SPLUNK_HOME/etc/system/local/inputs.conf. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
[<inputtype>://<path>] host = $YOUR_HOST sourcetype = $YOUR_SOURCETYPE source = $YOUR_SOURCE
Learn more about inputs types..
[tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log
This will set the host as "webhead-1" for any events coming from 10.1.1.10, on TCP port 9995.
Use this method if you want to extract the host name from a segment of the source input. For example, if you have an archived directory you want to index, and the name of each file in the directory contains relevant host information, you can use Splunk to extract this information and assign it to the host field.
Follow the steps outlined above. However, instead of choosing Constant value, you can choose either:
Regex on path: Choose this option if you want to extract the host name via a regular expression. Enter the regular expression for host extraction in the regular expression box.
Segment in path: Choose this option if you want to extract the host name from a segment in your data source's path. Enter the segment number in the segment # box.
You can set up dynamic host extraction rules when you are configuring inputs.conf. You can add the following attribute/value pairs to override the host field.
host_regex = <regular expression>
host = attribute is set as the host.
host_segment = <integer>
host = attribute is set as the host.
This examples uses regex on the file path to set the host:
[monitor:///var/log] host_regex = /var/log/(\w+)
Events from /var/log/foo.log are given the hostname "foo".
This examples uses the segment of the path to set the host:
[tail://apache/logs/] host_segment = 3 sourcetype = access_common
This extracts the host name as the third segment in the path apache/logs.