Set a default host for a Splunk server
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Set a default host for a Splunk server
An event's host value is the IP address, host name, or fully qualified domain name of the physical device on the network from which the event originates. Because Splunk assigns a host value at index time for every event it indexes, host value searches enable you to easily find data originating from a specific device.
Default host assignment
If you have not specified other host rules for a source (using the information in this and subsequent topics in this chapter), the default host value for an event is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated. When the event originates from the server on which Splunk is running (which is the most common case) the host assignment is correct, and there's no need for you to change anything. However, if you data is being forwarded from a different host, or if you're bulk-loading archive data, you may want to change the default host value for that data.
To set the default value of the host field, you can use Splunk Manager, or edit inputs.conf.
Set the default host value using Manager
Use Manager to set the default host value for a server:
1. In Splunk Web, click on the Manager link in the upper right-hand corner of the screen.
2. In Manager, click System settings under System configurations.
3. On the System settings page, click General settings.
4. On the General settings page, scroll down to the Index settings section and change the Default host name.
5. Save your changes.
This sets the value of the host field for all events that have not received another host name.
Set the default host value using inputs.conf
This host assignment is set in inputs.conf during Splunk installation. Modify the host entry by editing $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. (We recommend using the latter directory if you want to make it easy to transfer your data customizations to other search servers).
This is the format of the host assignment in inputs.conf:
host = <string>
- Set
<string>to your chosen default host value.<string>defaults to the IP address or domain name of the host where the data originated. - This is a shortcut for
MetaData:Host = <string>. It sets the host of events from this input to be the specified string. Splunk automatically prependshost::to the value when this shortcut is used.
Restart Splunk to enable any changes you have made to inputs.conf.
Override the default host value for data received from a specific input
If you are running Splunk on a central log archive, or you are working with files copied from other hosts in the environment, you may want to override the default host assignment for a particular input on a static or dynamic basis.
For more information, see "Set a default host value for an input" in this manual.
Override the default host value using event data
If you have a centralized log host sending events to Splunk, many servers may be involved. The central log server is called the reporting host. The system where the event occurred is called the originating host (or just the host). In this case you need to define rules that set the host field value based on the information in the events themselves.
For more information, see "Override default host values based on event data" in this manual.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.