Documentation > Splunk > Knowledge Manager Manual > About hosts

Knowledge Manager Manual

 


Welcome
When you first deploy Splunk
Understand events
Work with fields
Work with hosts
Work with source types
Manage event types
Define tags and aliases
Group events into transactions
Manage saved searches and search jobs
Configure summary indexes

About hosts

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

About hosts

An event's host field value is the name of the physical device from which the event originates. Because it is a default field, which means that Splunk assigns it to every event it indexes, you use it to search for all events that have been generated by a particular host.

The host value can be an IP address, device hostname, or a fully qualified domain name, depending on whether the event was received through a file input, network input, or the computer hosting the instance of Splunk.


How Splunk assigns the host value

If no other host rules are specified for a source, Splunk assigns host a default value that applies to all data coming from inputs on a given Splunk server. The default host value is the hostname or IP address of the network host. When Splunk is running on the server where the event occurred (which is the most common case) this is correct and no manual intervention is required.

Learn how to set a default host for a Splunk server.


Override host for remote archive files

If you are running Splunk on a central log archive, or you are working with files copied from other hosts in your environment, you may need to override the default host assignment for events coming from particular inputs. There are two methods for setting an input's host assignment. You can define a custom host value for all data coming through that input, or you can have the assigned host value match a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.


Get distinct hosts from a centralized log server environment

There may be many servers involved in cases where a centralized log host is sending events to Splunk. The central log server is called the reporting host. The system where the event occurred is called the originating host (or just the host). In cases such as this you need to define rules to override automatic host assignments for events received from that centralized log host.


Tag host values

Tag host values to aid in the execution of robust searches. Tags enable you to cluster groups of hosts into useful, searchable categories.


Set host values in inputs.conf

Set host values directly in inputs.conf. Some host extraction configurations require changes to transforms.conf and props.conf. Before manually modifying any configuration file, read about configuration files.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.5/Knowledge/Abouthosts"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!