Getting Data In

 


Set host values based on event data

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Set host values based on event data

Splunk can assign host names to your events based on data in those events. This topic shows you how to use event data to override default host assignments.

Configuration

To configure per-event overrides, you need to create two stanzas, one in transforms.conf and another in props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information about configuration files in general, see "About configuration files" in the Admin manual.

transforms.conf

Create a stanza in transforms.conf that follows this syntax:

[<unique_stanza_name>]
REGEX = <your_regex>
FORMAT = host::$1
DEST_KEY = MetaData:Host

Note the following:

  • <unique_stanza_name> should reflect that it involves a host value. You'll use this name later in the props.conf stanza.
  • <your_regex> is a regular expression that identifies where in the event you want to extract the host value.
  • FORMAT = host::$1 writes the REGEX value into the host:: field.

Note: For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command. Splunk also maintains a list of useful third-party tools for writing and testing regular expressions.

props.conf

Next, create a stanza in props.conf that references the transforms.conf stanza:

[<spec>]
TRANSFORMS-<class> = <unique_stanza_name>

Note the following:

  • <spec> can be:
    • <sourcetype>, the source type of an event.
    • host::<host>, where <host> is the host value for an event.
    • source::<source>, where <source> is the source value for an event.
  • <class> is any unique identifier that you want to give to your transform.
  • <unique_stanza_name> is the name of the stanza you created in transforms.conf.

Example

Assume that you're starting with the following set of events from the houseness.log file. The host is in the third position ("fflanda", etc.).

41602046:53 accepted fflanda
41602050:29 accepted rhallen
41602052:17 accepted fflanda

First, create a new stanza in transforms.conf with a regex that extracts the host value:

[houseness]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

Next, reference your transforms.conf stanza in a props.conf stanza. For example:

[source::.../houseness.log]
TRANSFORMS-rhallen=houseness
SHOULD_LINEMERGE = false

The above stanza has the additional attribute/value pair SHOULD_LINEMERGE = false. This specifies that Splunk should break events at each newline.

The events will now appear in search results like this:

Host event.jpg

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!