Set the value of host based on event data
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
Set the value of host based on event data
Use these instructions if you want to override the default host name that is assigned to your events based on the data in the events themselves. To do this, you must edit transforms.conf and props.conf.
Configuration
Configure a dynamically extracted host name for any source or sourcetype via transforms.conf and props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual.
Edits to transforms.conf
Add your custom stanza to $SPLUNK_HOME/etc/system/local/transforms.conf. Configure your stanza as follows:
[$UNIQUE_STANZA_NAME] DEST_KEY = MetaData:Host REGEX = $YOUR_REGEX FORMAT = host::$1
Fill in the stanza name and the regex fields with the correct values for your data.
Leave DEST_KEY = MetaData:Host to write a value to the host:: field. FORMAT = host::$1 writes the REGEX value into the host:: field.
Note: Name your stanza with a unique identifier (so it is not confused with a stanza in $SPLUNK_HOME/etc/system/default/transforms.conf).
Edits to props.conf
Create a stanza in $SPLUNK_HOME/etc/system/local/props.conf to map the transforms.conf regex to the source type in props.conf.
[<spec>] TRANSFORMS-$name=$UNIQUE_STANZA_NAME
<spec> can be:
- <sourcetype>, the sourcetype of an event
- host::<host>, where <host> is the host for an event
- source::<source>, where <source> is the source for an event
$name is whatever unique identifier you want to give to your transform.
$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.
Note: Optionally add any other valid attribute/value pairs from props.conf when defining your stanza. This assigns the attributes to the <spec> you have set. For example, if you have custom line-breaking rules to set for the same <spec>, append those attributes to your stanza.
Example
The following events in the houseness.log file contain the host in the third position.
41602046:53 accepted fflanda 41602050:29 accepted rhallen 41602052:17 accepted fflanda
Create a regex to extract the host value and add it to a new stanza in $SPLUNK_HOME/etc/system/local/transforms.conf:
[houseness] DEST_KEY = MetaData:Host REGEX = \s(\w*)$ FORMAT = host::$1
Now, link your transforms.conf stanza to $SPLUNK_HOME/etc/system/local/props.conf so your transforms are called. Optionally add any additional attribute/value pairs from props.conf as needed.
The transform above works with the following stanza in props.conf:
[source::.../houseness.log] TRANSFORMS-rhallen=houseness SHOULD_LINEMERGE = false
The above stanza has the additional attribute/value pair SHOULD_LINEMERGE = false. This specifies that Splunk should create new events at a newline.
Note: The additional -rhallen in the attribute TRANSFORMS-rhallen serves to differentiate this transform from other transforms.
The events now appear in SplunkWeb as the following:
