An event's host field value is the name of the physical device from which the event originates. Because it is a default field, which means that Splunk assigns a host to every event it indexes, you can use it to search for all events that have been generated by a particular host.
The host value is typically the hostname, IP address, or fully qualified domain name of the network host on which the event originated.
How Splunk assigns the host value
Splunk assigns a host value to each event by examining settings in the following order and using the first host setting it encounters:
1. Any event-specific host assignment specified in
2. The default host value for the event's input, if any.
3. The default host value for the Splunk server (indexer or forwarder) intially consuming the data.
An overview of these assignment methods and their use cases follows. Subsequent topics describe the methods in greater detail.
The Splunk server's default host value
If no other host rules are specified for a source, Splunk assigns the host field a default value that applies to all data coming into the Splunk instance from any input. The default host value is the hostname or IP address of the Splunk instance (indexer or forwarder) initially consuming the data. When the Splunk instance is running on the server where the event occurred, this is correct and no manual intervention is required.
For more information, see "Set a default host for a Splunk server" in this manual.
The default host for a file or directory input
If you are running Splunk on a central log archive, or you are working with files forwarded from other hosts in your environment, you might need to override the default host assignment for events coming from particular inputs.
There are two methods for assigning a host value to data received through a particular input. You can define a static host value for all data coming through a specific input, or you can have Splunk dynamically assign a host value to a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.
For more information, see "Set a default host for a file or directory input" in this manual.
Some situations require you to assign host values by examining the event data. For example, If you have a central log host sending events to Splunk, you might have several host servers that feed data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event's data to determine the host value.
For more information, see "Set host values based on event data" in this manual.
Handle incorrectly-assigned host values
If your event data gets tagged with the wrong host value, don't worry. There are a number of ways to fix or work around the problem.
For details, see "Handle incorrectly-assigned host values" in this manual.
Tag host values
You can tag host values to aid in the execution of robust searches. Tags enable you to cluster groups of hosts into useful, searchable categories.
For details, see "About tags and aliases" in the Knowledge Manager manual.
Extract fields from file headers
Set a default host for a Splunk server
This documentation applies to the following versions of Splunk® Enterprise: