This is not current Splunk documentation.
Splunk 3.4.5 is the latest version. Only use this page with older Splunk 2.0.x.
« Previous  |   Table of Contents   |   Next »

Splunk Data Access Manual (Splunk v2.0)

Splunk Meta Data

Host (host::)

The host value of an event is the hostname or IP address of the network host which originated the event.

Host Extraction from Events

Splunk can be configured to try to extract a hostname from each event in a source. Splunk 2.0 comes preconfigured to do this for these event types:

  • syslog
  • cisco_syslog
  • linux_messages_syslog
  • postfix_syslog
  • sendmail_syslog
  • windows_snare_syslog

Splunk 2.0's built-in configuration for the generic syslog source type is a good example of how to configure host:: extraction. The entry for syslog in the known-props.xml file specifies three regular expressions to search for hostnames.

       <properties name="syslog">
                <attribute name="REGEXES">syslog-pre-host,syslog-host,syslog-post-host</attribute>
                <attribute name="SHOULD_LINEMERGE">False</attribute>
                <attribute name="TYPING_CONFIG">/etc/event-types/current/syslog.xml</attribute>
                <attribute name="match_filename1">/var/log/messages</attribute>
                <attribute name="match_filename2">/var/log/syslog</attribute>
                <attribute name="maxDist">3</attribute>
        </properties>

The regex-props.xml file contains the three regular expression definitions, each of which assigns matches to host::.

        <properties name="syslog-pre-host">
                <attribute name="DEST_KEY">MetaData:Host</attribute>
                <attribute name="REGEX">^[^\:]*\d\d\:\d\d\:\d\d\s+(\w[\w\.\-]+)\s</attribute>
                <attribute name="FORMAT">host::$1</attribute>
        </properties>
        <properties name="syslog-post-host">
                <attribute name="DEST_KEY">MetaData:Host</attribute>
                <attribute name="REGEX">^[^\:]*\d\d\:\d\d\:\d\d[^\:]*\s\[?(\d+\.\d+\.\d+\.\d+)\]?\s.*\:</attribute>
                <attribute name="FORMAT">host::$1</attribute>
        </properties>
        <properties name="syslog-host">
                <attribute name="DEST_KEY">MetaData:Host</attribute>
                <attribute name="REGEX">^[^\:]*\d\d\:\d\d\:\d\d\s[^\:]*?(\w[\w\.\-]+)\s+[A-Za-z][^\s\:]+\:\s</attribute>
                <attribute name="FORMAT">host::$1
        </properties>

To create a custom host-extraction configuration, add your own entries to overlay-props.xml and overlay-regex-props.xml as described in the section on Properties Files.

Host extraction can be keyed to sourcetype::, source::, or even o host::, as shown below. 

        <properties name="source::/var/log/messages"> <!-- per-source configuration -->

        <properties name="host::nyc*"> <!-- per-host configuration, with a wildcard -->

        <properties name="syslog"> <!-- no prefix means it's a sourcetype -->
« Previous  |   Table of Contents   |   Next »

Comments

No comments have been submitted.

close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: