Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Set a default host for a file or directory input

You can set a host value for all data from a particular file or directory input. You can set the host statically or dynamically:

  • If you statically set the host value, Splunk assigns the same host to every event that comes to Splunk through a designated file or directory input.
  • If you dynamically set the host value, Splunk extracts the host name from a portion of the source input using a regex or segment of the source's full directory path.

You can also assign host values to events coming through a particular file or directory input based on their source or source type values (as well as other kinds of information). For more information, see "Set host values based on event data" in this manual.

Note: Splunk currently does not enable the setting of default host values for event data received through TCP, UDP, or scripted inputs.

Statically set the default host value

This method applies a single default host value to each event received through a specific file or directory input.

Note:A static host value assignment only affects new data arriving through the input with which it's associated. You cannot assign a default host value to data that has already been indexed. Instead, you can tag the host value.

Use Splunk Web

You can define a host for a file or directory input whenever you add a new input of that type through the "Data inputs" page of Splunk Web's Manager interface:

1. Click Manager in the upper right-hand corner of Splunk Web.

2. In the Data section of the Manager page, click Data Inputs.

3. Click Files & Directories.

4. On the Files & directories page, either click the name of an existing input to update it or click New to create a new file or directory input.

5. In the Host section, select the "constant value" option from the Set host dropdown.

6. Enter the static host value for the input in the Host field value field.

7. Click Save.

For more information about inputs and input types, see "What Splunk can monitor" in this manual.

Edit inputs.conf

You can directly edit inputs.conf to specify a host value for a monitored file or directory input. Set the host attribute in the appropriate stanza.

[monitor://<path>]
host = <your_host>

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

For more information about inputs and input types, see "What Splunk can monitor" in this manual.

Example of static host value assignment

This example covers any events coming in from /var/log/httpd. Any events coming from this input will receive a host value of webhead-1.

[monitor:///var/log/httpd]
host = webhead-1

Dynamically set the default host value

This method dynamically extracts the host value for a file or directory input, either from a segment of the source input path or from a regular expression. For example, if you want to index an archived directory and the name of each file in the directory contains relevant host information, you can extract this information and assign it to the host field.

Note: For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command. Splunk also maintains a list of useful third-party tools for writing and testing regular expressions.

Use SplunkWeb

1. Click Manager in the upper right-hand corner of Splunk Web.

2. In the Data section of the Manager page, click Data Inputs.

3. Click Files & Directories.

4. On the Files & directories page, either click the name of an existing input to update it or click New to create a new file or directory input.

5. In the Host section, select one of the following two options from the Set host dropdown:

  • regex on path - Choose this option if you want to extract the host name with a regular expression. Then enter the regex for the host you want to extract in the Regular expression field.
  • segment in path - Choose this option if you want to extract the host name from a segment in your data source's path. Then enter the segment number in the Segment number field. For example, if the path to the source is /var/log/<host server name> and you want the third segment (the host server name) to be the host value, enter "3".

6. Click Save.

Edit inputs.conf

You can set up dynamic host extraction rules by directly configuring inputs.conf.

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

Use the host_regex attribute to override the host field with a value extracted through a regular expression:

[monitor://<path>]
host_regex = <your_regex>

The regex extracts the host value from the filename of each input. The first capturing group of the regex is used as the host.

Note: If the regex fails to match, the default host attribute is set as the host.

Use the host_segment to override the host field with a value extracted from a segment in your data source's path. For example, if the path to the source is /var/log/<host server name> and you want the third segment (the host server name) to be the host value, your input stanza would look like:

[monitor://var/log/]
host_segment = 3

Note: You cannot simultaneously specify a host_regex and host_segment.

Examples of dynamic host assignment

In this example, the regex assigns all events from /var/log/foo.log a host value of "foo":

[monitor://var/log]
host_regex = /var/log/(\w+)

This example assigns the host value to the third segment in the path apache/logs:

[monitor://apache/logs/]
host_segment = 3
PREVIOUS
Set a default host for a Splunk server
  NEXT
Set host values based on event data

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters