Documentation > Splunk > Admin Manual > How host works

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

How host works

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

How host works

An event's host value is the name of the physical device on the network where the event originates. Host provides an easy way to find all data originating from a given device. Tagging hosts lets you find data from a group of hosts with a common function or configuration.The value of host may be an IP address, hostname, or fully qualified domain name. Splunk indexes and stores a host value for every event it indexes.


How host is assigned

Default assignment

If no other host rules are specified for a source, host will be set to a default host value that applies to all data coming via inputs on a given Splunk server. The default host value is the hostname or IP address of the network host. When Splunk is running on the server where the event occurred (which is the most common case) this is correct and no manual intervention is required.

Learn how to set a default host for a Splunk server.

Override host for remote archive files

If you are running Splunk on a central log archive, or you are working with files copied from other hosts in the environment, you may need to override the default assignment. You can define host assignment for an input based on either a custom host value for all data for that input or matching a portion of the path or filename of a source, such as when you have a directory structure that segregates the log archive for each host in a different subdirectory.

Centralized log server environment

In the case where there is a centralized log host sending events to Splunk, there may be many servers involved. The central log server is called the reporting host. The system where the event occurred is called the originating host (or just the host). In this case you will need to define rules to extract host per event.


Host tagging

Tag a value of a host field to provide extra information to help you search. This helps you execute more robust searches by allowing you to cluster multiple hosts into useful categories.


Configuration files for host

Set the values for host in inputs.conf. More advanced host extraction configurations require changes to transforms.conf and props.conf. Before manually modifying any configuration file, read about configuration files.[[Category:inputs]

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.1/Admin/HowHostWorks"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!