This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
An event's host value is the name of the physical device on the network where the event originates. Because Splunk assigns a host value at index time for every event it indexes, host value searches enable you to easiy find all data originating from a given device.
If you have not specified other host rules for a source (using the information in this and subsequent topics in this chapter), the default host value for an event is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated. When the event originates from the server on which Splunk is running (which is the most common case) the host assignment is correct, and there's no need for you to change anything. However, if you data is being forwarded from a different host, or if you're bulk-loading archive data, you may want to change the default host value for that data.
This topic shows you how you can set a default host value for event data originating from a specific device.
Use Manager to set the default host value:
1. In Splunk Web, click the Manager link in the upper right-hand corner.
2. Click System settings.
3. Change the Default host name value in the Index settings section.
This sets the value of the host field for all events that are not receiving another host name.
This host assignment is written in inputs.conf during Splunk installation. Modify the host entry by editing $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. (We recommend using the latter directory if you want to make it easy to transfer your data customizations to other search servers.).
This is the format of the host assignment in inputs.conf:
host = <string>
<string> to your chosen default host value. <string> defaults to the IP address or domain name of the host where the data originated.
MetaData:Host = <string>. It sets the host of events from this input to be the specified string. Splunk automatically prepends host:: to the value when this shortcut is used.
Restart Splunk to enable any changes you have made to inputs.conf.
If you are running Splunk on a central log archive, or you are working with files copied from other hosts in the environment, you may want to override the default assignment. You can define host assignment for an input based on either a custom host value for all data for that input or matching a portion of the path or filename of a source, such as when you have a directory structure that segregates the log archive for each host in a different subdirectory.
For more information, see "Set a host assignment for an input" in this manual.
In the case where there is a centralized log host sending events to Splunk, there may be many servers involved. The central log server is called the reporting host. The system where the event occurred is called the originating host (or just the host). In this case you need to define rules to set the value of the host field based on the information in the events themselves.
For more information, see "Override default host assignments based on event data" in this manual.