Set a host assignment for an input

Set a host assignment for an input

In certain situations you may want to explicitly set a host value for all data coming in to Splunk through a specific configured input. You can set the host statically or dynamically.

• To statically set the host means you're setting the same host for every event that comes through the designated input.
• If you dynamically set the host value, Splunk extracts the host name from a segment of the source input using a regex or segment of the source's full directory path.

To assign a different host for different sources or sourcetypes in the same input, see "Overriding default host assignments," in this manual.

Statically setting an input's host assignment

This method assigns the same host for every event for the input.

A static host value assignment only impacts new data coming in via the input. If you need to correct the host displayed in Splunk Web for data that has already been indexed, you need to tag hosts instead.

Via Splunk Web

You can statically define a host for an input whenever you add a new input through the "Data inputs" page of Splunk Web's Manager interface:

1. In Splunk Web, click on the Manager link in the upper right-hand corner of the screen.

2. In Manager, click Data inputs under System configuration.

3. On the Data inputs page, choose a type of input that you would like to add or update. The list of inputs for the input type you select opens.

4. From here you can either select an existing input to update or click New to create a new input of the selected type.

5. Either way, to set a static host definition for the input, select Constant value from the Set host dropdown list.

6. Enter the static host value for the input in the Host field value field.

7. Save your changes.

For more information about inputs and input types, see "What Splunk can monitor" in the Admin guide.

Via configuration files

Edit inputs.conf to specify a host value. Include a host = attribute within the appropriate stanza.

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

[<inputtype>://<path>]
host = $YOUR_HOST
sourcetype = $YOUR_SOURCETYPE
source = $YOUR_SOURCE

For more information about inputs and input types, see "What Splunk can monitor" in the Admin manual.

Example of static host assignment for an input

This example covers any events coming in from IP address 10.1.1.10 on TCP port 9995. Any events coming from this input will have a host value of webhead-1.

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log

Dynamically setting an input's host assignment

Use this method if you want to dynamically extract the host name either from a segment of the source input path or from a regex. For example, if you have an archived directory you want to index, and the name of each file in the directory contains relevant host information, you can use Splunk to extract this information and assign it to the host field.

Via SplunkWeb

Follow the steps outlined for setting a static host assignment via Splunk Web, above. However, when instead of selecting Constant value from the Set host dropdown list, you can instead choose one of the two following values:

• Regex on path - Choose this option if you want to extract the host name via a regular expression. Enter the regex for the host you want to extract in the Regular expression field.
• Segment in path - Choose this option if you want to extract the host name from a segment in your data source's path. Enter the segment number in the Segment # field. For example, if the path to the source is /var/log/hostserver and you want the third segment to be the host value, enter 3 into the Segment # field.

Via configuration files

You can set up dynamic host extraction rules when you are configuring inputs.conf. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

Add host_regex = <regular expression> to override the host field with a value extracted using a regular expression.

[<inputtype>://<path>]
host_regex = $YOUR_REGEX
sourcetype = $YOUR_SOURCETYPE
source = $YOUR_SOURCE

• If specified, the regular expression extracts the host value from the filename of each input.
• Specifically the first group of the regex is used as the host.
• If the regex fails to match, the default host = attribute is set as the host.

Note: For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command. Splunk also maintains a list of useful third-party tools for writing and testing regular expressions.

Add host_segment = <integer> to override the host field with a value extracted using a segment of the data source path.

• If specified, the specified '/' separated segment of the path is set as the host of each input.
• If the value is not an integer, or is less than 1, the default host = attribute is set as the host.

Examples of dynamic host assignment for an input

This example uses regex on the file path to set the host:

[monitor:///var/log]
host_regex = /var/log/(\w+)

With that regex, all events from /var/log/foo.log are given the a host value of foo.

This example uses the segment of the data source filepath to set the host:

[monitor://apache/logs/]
host_segment = 3
sourcetype = access_common

This sets the host value to the third segment in the path apache/logs.

• Was this topic useful?
• Post a comment