Set host values based on event data
Splunk can assign host names to your events based on data in those events. This topic shows you how to use event data to override default host assignments.
To configure per-event overrides, you need to create two stanzas, one in
transforms.conf and another in
props.conf. Edit these files in
$SPLUNK_HOME/etc/system/local/ or in your own custom application directory in
$SPLUNK_HOME/etc/apps/. For more information about configuration files in general, see "About configuration files" in the Admin manual.
Create a stanza in
transforms.conf that follows this syntax:
[<unique_stanza_name>] REGEX = <your_regex> FORMAT = host::$1 DEST_KEY = MetaData:Host
Note the following:
<unique_stanza_name>should reflect that it involves a host value. You'll use this name later in the
<your_regex>is a regular expression that identifies where in the event you want to extract the host value.
FORMAT = host::$1writes the
REGEXvalue into the
Note: For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command. Splunk also maintains a list of useful third-party tools for writing and testing regular expressions.
Next, create a stanza in
props.conf that references the
[<spec>] TRANSFORMS-<class> = <unique_stanza_name>
Note the following:
<sourcetype>, the source type of an event.
<host>is the host value for an event.
<source>is the source value for an event.
<class>is any unique identifier that you want to give to your transform.
<unique_stanza_name>is the name of the stanza you created in
Assume that you're starting with the following set of events from the
houseness.log file. The host is in the third position ("fflanda", etc.).
41602046:53 accepted fflanda 41602050:29 accepted rhallen 41602052:17 accepted fflanda
First, create a new stanza in
transforms.conf with a regex that extracts the host value:
[houseness] DEST_KEY = MetaData:Host REGEX = \s(\w*)$ FORMAT = host::$1
Next, reference your
transforms.conf stanza in a
props.conf stanza. For example:
[source::.../houseness.log] TRANSFORMS-rhallen=houseness SHOULD_LINEMERGE = false
The above stanza has the additional attribute/value pair
SHOULD_LINEMERGE = false. This specifies that Splunk should break events at each newline.
The events will now appear in search results like this:
Set a default host for a file or directory input
Handle incorrectly-assigned host values
This documentation applies to the following versions of Splunk® Enterprise: 4.2, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15