Getting Data In

 


About hosts

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

About hosts

An event's host field value is the name of the physical device from which the event originates. Because it is a default field, which means that Splunk assigns a host to every event it indexes, you can use it to search for all events that have been generated by a particular host.

The host value is typically the hostname, IP address, or fully qualified domain name of the network host on which the event originated.

How Splunk assigns the host value

Splunk assigns a host value to each event by examining settings in the following order and using the first host setting it encounters:

1. Any event-specific host assignment specified in transforms.conf.

2. The default host value for the event's input, if any.

3. The default host value for the Splunk server (indexer or forwarder) intially consuming the data.

An overview of these assignment methods and their use cases follows. Subsequent topics describe the methods in greater detail.

The Splunk server's default host value

If no other host rules are specified for a source, Splunk assigns the host field a default value that applies to all data coming into the Splunk instance from any input. The default host value is the hostname or IP address of the Splunk instance (indexer or forwarder) initially consuming the data. When the Splunk instance is running on the server where the event occurred, this is correct and no manual intervention is required.

For more information, see "Set a default host for a Splunk server" in this manual.

The default host for a file or directory input

If you are running Splunk on a central log archive, or you are working with files forwarded from other hosts in your environment, you might need to override the default host assignment for events coming from particular inputs.

There are two methods for assigning a host value to data received through a particular input. You can define a static host value for all data coming through a specific input, or you can have Splunk dynamically assign a host value to a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.

For more information, see "Set a default host for a file or directory input" in this manual.

Event-specific assignments

Some situations require you to assign host values by examining the event data. For example, If you have a central log host sending events to Splunk, you might have several host servers that feed data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event's data to determine the host value.

For more information, see "Set host values based on event data" in this manual.

Handle incorrectly-assigned host values

If your event data gets tagged with the wrong host value, don't worry. There are a number of ways to fix or work around the problem.

For details, see "Handle incorrectly-assigned host values" in this manual.

Tag host values

You can tag host values to aid in the execution of robust searches. Tags enable you to cluster groups of hosts into useful, searchable categories.

For details, see "About tags and aliases" in the Knowledge Manager manual.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!