Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

Set a default host for a file or directory input

You can set a host value for all data from a particular file or directory input. You can set the host statically or dynamically.

If you set the host value statically, the same host is assigned to every event received from a designated file or directory input.

If you set the host value dynamically, the host name is extracted from the source input using a regular expression or segment of the full directory path of the source.

You can also assign host values to events that come through a particular file or directory input based on their source or source type values (as well as other kinds of information). See Set host values based on event data.

At this time, you cannot enable the setting of default host values for network (TCP and UDP) or scripted inputs.

Statically set the default host value

This method applies a single default host value to each event that a specific file or directory input generates.

A static host value assignment only affects new events that a certain input generates. You cannot assign a default host value to data that has already been indexed. Instead, you must tag the host value to the existing events. See Define and manage tags in the Knowledge Manager Manual.

Use Splunk Web

You can define a host for a file or directory input whenever you add or edit an input of that type.

To set the default host when creating a new input, see Set a default host for a new input.

  1. Click Settings > Data Inputs.
  2. Click Files & Directories.
  3. On the Files & directories page, click the name of an existing input to update it.
  4. In the Host section, select the "constant value" option from the Set host dropdown.
  5. Enter the static host value for the input in the Host field value field.
  6. Click Save.

Set a default host for a new input

The process to set a default host is different when you create a new input.

  1. Click Settings > Data Inputs.
  2. Click Files & Directories.
  3. On the Files & directories page, click New to add an input.
  4. Specify the file or directory that you want to monitor, and specify any whitelists or blacklists.
  5. Click Next.
  6. (Optional) Set the source type for your new input.

    Note: If you specified a directory, the "Set Sourcetype" page does not appear.
  7. Click Next.
  8. On the Input Settings page, in the Host section, click the Constant Value button.
  9. In the Host field value field, enter the host name for the input.
  10. Click Review to continue to the Review page.
  11. Click Submit to create the input.

Edit inputs.conf

To specify a host value for a monitored file or directory input, edit inputs.conf to specify a host value for a monitored file or directory input. When you edit inputs.conf, set the host attribute in the stanza that defines the input. If you have Splunk Cloud, you configure this setting on the machines where you run the Splunk universal forwarder.

[monitor://<path>]
host = <your_host>

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see About configuration files in the Admin manual.

For more information about inputs and input types, see What data can I index? in this manual.

Example of static host value assignment

This example covers any events coming in from /var/log/httpd. Any events coming from this input will receive a host value of webhead-1.

[monitor:///var/log/httpd]
host = webhead-1

Dynamically set the default host value

This method dynamically extracts the host value for a file or directory input, either from a segment of the source input path or from a regular expression. For example, if you want to index an archived directory and the name of each file in the directory contains relevant host information, you can extract this information and assign it to the host field.

For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regular expressions by using them in searches with the rex search command and by using third-party tools for writing and testing regular expressions.

Use Splunk Web

  1. Click Settings > Data Inputs.
  2. Click Files & Directories.
  3. On the Files & directories page, click the name of an existing input to update it.
  4. In the Host section, select one of the following two options from the Set host dropdown.

    • regex on path - Choose this option if you want to extract the host name with a regular expression. Then enter the regex for the host you want to extract in the Regular expression field.

    • segment in path - Choose this option if you want to extract the host name from a segment in your data source's path. Then enter the segment number in the Segment number field. For example, if the path to the source is /var/log/<host server name> and you want the third segment (the host server name) to be the host value, enter "3".
  5. Click Save.

Dynamically set a default host for a new input

The process to set a default host dynamically is different when you create a new input.

  1. Click Settings > Data Inputs.
  2. Click Files & Directories.
  3. On the Files & directories page, click New to add an input.
  4. Specify the file or directory that you want to monitor, and specify any whitelists or blacklists.
  5. Click Next.
  6. (Optional) Set the source type for your new input. Note: If you specified a directory, the "Set Sourcetype" page does not appear.
  7. Click Next.
  8. On the Input Settings page, in the Host section, click either Regular expression on path or Segment in path .
  9. If you chose Regular expression on path, enter a regular expression to be used to extract the hostname from the source path in the "Regular expression" field. Otherwise, enter the number for the source path segment to be used to determine the hostname in the "Segment Number" field.
  10. Click Review to continue to the Review page.
  11. Click Submit to create the input.

Edit inputs.conf

You can set up dynamic host extraction rules by configuring inputs.conf. For more information on configuration files in general, see About configuration files in the Admin manual.

Set the event host with the host_regex attribute

  1. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
  2. Use the host_regex attribute to override the host field with a value extracted through a regular expression.
    [monitor://<path>]
    host_regex = <your_regular_expression>
    

  3. Save the inputs.conf file.
  4. Restart the Splunk instance.

The regular expression extracts the host value from the filename of each input. The input uses the first capturing group of the regular expression as the host. If the regular expression fails to match, the input sets the default host attribute as the host.

Set the event host with the host_segment attribute

The host_segment value overrides the host field with a value that has been extracted from a segment in the path of your data source.

  1. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
  2. Add a host_segment attribute to a stanza to override the host field with a value that has been extracted from a segment in the path of your data source. For example, if the path to the source is /var/log/<host server name> and you want the third segment (the host server name) to be the host value, set host_segment as follows:

    [monitor://var/log/]
    host_segment = 3
    
  3. Save the inputs.conf file.
  4. Restart the Splunk instance.

Examples of dynamic host assignment

In this example, the regular expression assigns all events from /var/log/foo.log a host value of "foo":

[monitor://var/log]
host_regex = /var/log/(\w+)

This example assigns the host value to the third segment in the path apache/logs:

[monitor://apache/logs/]
host_segment = 3

Caveats to setting the host_segment attribute to extract a host name

There are some caveats to using the host_segment attribute in an inputs.conf stanza:

  • You cannot simultaneously specify the host_regex and host_segment attributes in the same stanza.
  • When you simultaneously specify a host_segment and source attribute in the same stanza, the behavior of the host_segment attribute changes:
    • If the value you specify for the source contains a / (forward slash), the host value is extracted based on the segment number you specify in host_segment.
    • If source does not contain a /, or you specify a host_segment value that is larger than the number of segments available in source, then Splunk software cannot extract the host value, and instead uses the name of the host that extracted the data. See the following examples:

Example 1: Host name is server01, source path is /mnt/logs/server01, inputs.conf contains:

[monitor:///mnt/logs/]
host_segment = 3

Resulting host value: server01

Example 2: Host name is server01, source path is /mnt/logs/server01, inputs.conf contains:

[monitor:///mnt/logs/server01]
source = /mnt/logs/server01
host_segment = 3

Resulting host value: server01

Example 3: Host name is server02, source path is /mnt/logs/server02, inputs.conf contains:

[monitor:///mnt/logs/server02]
source = serverlogs
host_segment = 3

Resulting host value: server02

PREVIOUS
Set a default host for a Splunk instance
  NEXT
Set host values based on event data

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters