Host name configuration examples
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Host name configuration examples
There are three .conf files which you can configure for setting the host:: value.
Setting host through inputs.conf
You can configure host name for any source by setting the host field in your inputs.conf stanza. For example:
[tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log
You can set host to be extracted via host_regex or host_segment. For example:
[tail:///mnt/logs] host_segment = 3
Setting host through transforms.conf and props.conf
If you want to configure host on a per event basis, you can use transforms.conf in concert with props.conf to create a custom rule for host extraction. For example, if all your logs are coming to Splunk from a centralized server, and there is no way to tell by the file name, source or sourcetype what the host is, you may still be able to extract the host from the event itself.
For example, Splunk extracts the host from syslog data by using the following stanza in transforms.conf:
[syslog-host] DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]+)\]?\s FORMAT = host::$1
The above works with the following stanza in props.conf:
[syslog] pulldown_type = true maxDist = 3 TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 32 TRANSFORMS = syslog-host REPORT-syslog = syslog-extractions SHOULD_LINEMERGE = False category = Logs:OSs:Unix
This documentation applies to the following versions of Splunk: 3.0.1 , 3.0.2 View the Article History for its revisions.