This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
An event's host value is the name of the physical device on the network where the event originates. Host provides an easy way to find all data originating from a given device. Tagging hosts lets you find data from a group of hosts with a common function or configuration.The value of host may be an IP address, hostname, or fully qualified domain name. Splunk indexes and stores a host value for every event it indexes.
If you have not specified other host rules for a source (using the information in this and subsequent topics), the value of the host field is set to a default that applies to all data coming into a given Splunk server. The default host value is the hostname or IP address of the network host. When Splunk is running on the server where the event occurred (which is the most common case) this is correct and there's no need for you to change anything. If your data is being forwarded from a different host, or if you're bulk-loading archive data, you might want to change the value.
To set the default value of the host field, you can use Splunk Manager, or edit inputs.conf.
To change the value of the host field via Splunk Manager:
1. Click Manager in the upper right hand corner of Splunk Web.
2. Click System settings.
3 Under Index settings, change Default host name. This sets the value of the host field for all events that don't receive any other host name.
The default host assignment is set in inputs.conf during when you install Splunk. To change the host entry, edit $SPLUNK_HOME/etc/system/local/inputs.conf.
This is the format of the host assignment in inputs.conf:
host = <string>
* This is a shortcut for MetaData:Host = <string>. It sets the host of
events from this input to be the specified string. "host::" is
automatically prepended to the value when this shortcut is used.
Set your own host value by changing the entry for <string>.
If you are running Splunk on a central log archive, or you are working with files copied from other hosts in the environment, you may want to override the default assignment. You can define host assignment for an input based on either a custom host value for all data for that input or matching a portion of the path or filename of a source, such as when you have a directory structure that segregates the log archive for each host in a different subdirectory.
In the case where there is a centralized log host sending events to Splunk, there may be many servers involved. The central log server is called the reporting host. The system where the event occurred is called the originating host (or just the host). In this case you will need to define rules to set the value of the host field based on the information in the events themselves.