Set the value of host for an input

Set the value of host for an input

Use these instructions to explicitly set a host value for all data coming in from a specific configured input. Set host statically for every event in the same input, or dynamically with regex or segment on the full path of the source. To assign a different host for different sources or source types in the same input, set the value of the host field based on event data instead.

Set the value of host statically

The methods described in this topic assign the same host for every event for the input.

Note: Changing the value of the host field for an input will only impact new data coming into that input. To change the value of the host field displayed in Splunk Web for data that has already been indexed, you must tag the host field instead.

Set a static value for host statically using Splunk Web

Set the value of the host field whenever you add a data input through the Data Inputs section of Splunk Manager.

1. In the Host section of the new input page, choose Constant value to assign a static value as the host for each event that comes from this data source.

2. Enter the value for host in the Host field value field.

Set a static value for host using configuration files

Edit inputs.conf to specify a host value. Include a host = attribute within the appropriate stanza in $SPLUNK_HOME/etc/system/local/inputs.conf. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual.

Configuration

[<inputtype>://<path>]
host = $YOUR_HOST
sourcetype = $YOUR_SOURCETYPE
source = $YOUR_SOURCE

Learn more about inputs..

Example

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log

This will set the host as "webhead-1" for any events coming from 10.1.1.10, on TCP port 9995.

Set the value for host dynamically

Use this method if you want to extract the host name from a segment of the source input. For example, if you have an archived directory you want to index, and the name of each file in the directory contains relevant host information, you can use Splunk to extract this information and assign it to the host field.

Set a dynamic value for host with Splunk Web

Set the value of the host field whenever you add a data input through the Data Inputs section of Splunk Manager.

1. In the Host section of the new input page, choose one of the following:

• Regex on path: Choose this option if you want to extract the host name via a regular expression. Enter the regular expression for host extraction in the regular expressi
• Segment in path: Choose this option if you want to extract the host name from a segment in your data source's path. Enter the segment number in the segment # box.

Set a dynamic value for host with configuration files

You can set up dynamic host extraction rules when you are configuring inputs.conf. You can add the following attribute/value pairs to override the host field.

host_regex = <regular expression>

• If specified, the regular expression extracts the host from the filename of each input.
• Specifically the first group of the regex is used as the host.
• If the regex fails to match, the default host = attribute is set as the host.

host_segment = <integer>

• If specified, the specified '/' separated segment of the path is set as the host of each input.
• If the value is not an integer, or is less than 1, the default host = attribute is set as the host.

Examples

This examples uses regex on the file path to set the host:

[monitor:///var/log]
host_regex = /var/log/(\w+)

Events from /var/log/foo.log are given the hostname "foo".

This examples uses the segment of the path to set the host:

[tail://apache/logs/]
host_segment = 3
sourcetype = access_common

This extracts the host name as the third segment in the path apache/logs.

• Was this topic useful?
• Post a comment