Set a default host for a file or directory input
You can set a host value for all data from a particular file or directory input on the universal forwarder and Splunk Enterprise. You can set the host statically or dynamically.
On Splunk Cloud Platform, you must use a universal forwarder to assign host values as part of collecting data to send to Splunk Cloud Platform. You cannot configure host names in Splunk Web.
If you set the host value statically, the Splunk platform assigns the same host to every event received from a designated file or directory input.
If you set the host value dynamically, the Splunk platform extracts the same host name from the source input using a regular expression or segment of the full directory path of the source. See Assign default fields dynamically.
You can also assign host values to events that come through a particular file or directory input based on their source or source type values as well as other kinds of information. See Set host values based on event data.
Currently, you cannot enable the setting of default host values for network (TCP and UDP) or scripted inputs.
Statically set the default host value
This method applies a single default host value to each event that a specific file or directory input generates.
A static host value assignment affects only new events that a certain input generates. You cannot assign a default host value to data that is already indexed. Instead, you must tag the host value to the existing events. See Define and manage tags in Settings in the Knowledge Manager Manual.
Edit the inputs.conf configuration file to set a default host statically
To specify a host value for a monitored file or directory input, you can edit the inputs.conf configuration file. When you edit the inputs.conf file, set the host
setting in the stanza that defines the input. If you use Splunk Cloud Platform, you configure this setting on the machines where you run the universal forwarder.
[monitor://<path>] host = <your_host>
Edit the inputs.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom Splunk application directory in $SPLUNK_HOME/etc/apps/.
For more information on configuration files in general, see About configuration files in the Admin Manual. For more information about inputs and input types, see What data can I index?
Example of static host value assignment
This example covers any events coming in from /var/log/httpd
. Any events coming from this input receives a host
value of webhead-1
.
[monitor:///var/log/httpd] host = webhead-1
Use Splunk Web to set a default host statically
On Splunk Enterprise, you can define a host for a file or directory input whenever you add or edit an input of that type.
To set the default host when creating a new input, see Set a default host for a new input later in this topic.
To set a default host statically on an existing input, follow these steps:
- On Splunk Web, click Settings > Data Inputs.
- Click Files & Directories.
- On the Files & Directories page, click the name of an existing input to update it.
- In the Host section, select constant value from the Set host drop-down list.
- Enter the static host value for the input in the Host field value field.
- Click Save.
Set a default host for a new input
When you create an input, you must follow a different process to set a default host.
- On Splunk Web, click Settings > Data Inputs.
- Click Files & Directories.
- On the Files & Directories page, click New to add an input.
- Specify the file or directory that you want to monitor, and specify any allow lists or deny lists.
- Click Next.
- (Optional) Set the source type for your new input.
If you specified a directory, the Set Source Type page does not appear. - Click Next.
- On the Input Settings page in the Host section, click Constant Value.
- In the Host field value field, enter the host name for the input.
- Click Review to continue to the Review page.
- Click Submit to create the input.
Dynamically set the default host value
This method dynamically extracts the host value for a file or directory input, either from a segment of the source input path or from a regular expression. For example, if you want to index an archived directory and the name of each file in the directory contains relevant host information, you can extract this information and assign it to the host field.
You can test regular expressions by using them in searches with the rex search command.
Use the inputs.conf file to set a default host dynamically
You can set up dynamic host extraction rules by configuring inputs.conf. For more information on configuration files in general, see About configuration files in the Admin Manual.
Set the event host with the host_regex attribute
- Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
- Use the
host_regex
attribute to override the host field with a value extracted through a regular expression.
[monitor://<path>] host_regex = <your_regular_expression>
- Save the inputs.conf file.
- Restart the Splunk platform instance.
The regular expression extracts the host
value from the filename of each input. The input uses the first capturing group of the regular expression as the host. If the regular expression fails to match, the input sets the default host
attribute as the host.
Set the event host with the host_segment attribute
The host_segment
value overrides the host field with a value that is extracted from a segment in the path of your data source.
- Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.
- Add a
host_segment
attribute to a stanza to override the host field with a value that is extracted from a segment in the path of your data source. For example, if the path to the source is /var/log/<host server name> and you want the host server name or the third segment to be the host value, sethost_segment
as follows:
[monitor:///var/log/] host_segment = 3
- Save the inputs.conf file.
- Restart the Splunk platform instance.
Examples of dynamic host assignment
In this example, the regular expression assigns all events from /var/log/foo.log a host value of foo
:
[monitor:///var/log] host_regex = /var/log/(\w+)
This example assigns the host value to the third segment in the path apache/logs:
[monitor:///apache/logs/] host_segment = 3
Use Splunk Web to set a default host dynamically
- Click Settings > Data Inputs.
- Click Files & Directories.
- On the Files & Directories page, click the name of an existing input to update it.
- In the Host section, select one of the following two options from the Set host drop-down list.
Extraction method Steps Extract the host name with a regular expression - Select regex on path.
- Enter the regex for the host you want to extract in the Regular expression field.
Extract the host name from a segment in your data source path - Select segment in path.
- Enter the segment number in the Segment number field. For example, if the path to the source is /var/log/<host server name> and you want the host server name to be the host value, enter 3 to extract the third segment.
- Click Save.
Dynamically set a default host for a new input
When you create an input, you must follow a different process to set a default host dynamically.
- Click Settings > Data Inputs.
- Click Files & Directories.
- On the Files & Directories page, click New to add an input.
- Specify the file or directory that you want to monitor, and specify any allow lists or deny lists.
- Click Next.
- (Optional) Set the source type for your new input.
If you specified a directory, the Set Source Type page does not appear. - Click Next.
- On the Input Settings page in the Host section, click either Regular expression on path or Segment in path .
- If you choose Regular expression on path, enter a regular expression to be used to extract the host name from the source path in the Regular expression field. Otherwise, enter the number for the source path segment to be used to determine the host name in the Segment Number field.
- Click Review to continue to the Review page.
- Click Submit to create the input.
Caveats to setting the host_segment attribute to extract a host name
There are some caveats to using the host_segment
attribute in an inputs.conf stanza:
- You cannot simultaneously specify the
host_regex
andhost_segment
attributes in the same stanza.
- When you simultaneously specify a
host_segment
andsource
attribute in the same stanza, the behavior of thehost_segment
attribute changes:- If the value you specify for the source contains a forward slash (
/
), the host value is extracted based on the segment number you specify inhost_segment
. - If
source
does not contain a forward slash (/
), or you specify ahost_segment
value that is larger than the number of segments available insource
, then the Splunk platform can't extract the host value and instead uses the name of the host that extracted the data.
- If the value you specify for the source contains a forward slash (
The following examples show what happens when source
doesn't contain a forward slash, or you specify a host_segment
value that is larger than the number of segments available in source
:
Host name | Source path | Inputs.conf configuration | Resulting host value |
---|---|---|---|
server01 | /mnt/logs/server01 | [monitor:///mnt/logs/] host_segment = 3 |
server01 |
server01 | /mnt/logs/server01 | [monitor:///mnt/logs/server01] source = /mnt/logs/server01 host_segment = 3 |
server01 |
server02 | /mnt/logs/server02 | [monitor:///mnt/logs/server02] source = serverlogs host_segment = 3 |
server02 |
Set a default host for a Splunk instance | Set host values based on event data |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.2, 9.3.1, 9.4.0
Feedback submitted, thanks!