Set a default host for a Splunk server
An event's host value is the IP address, host name, or fully qualified domain name of the physical device on the network from which the event originates. Because Splunk assigns a
host value at index time for every event it indexes, host value searches enable you to easily find data originating from a specific device.
Default host assignment
If you have not specified other host rules for a source (using the information in subsequent topics in this chapter), the default host value for an event is the hostname or IP address of the server running the Splunk instance (forwarder or indexer) consuming the event data. When the event originates on the server on which the Splunk instance is running, that host assignment is correct and there's no need to change anything. However, if all your data is being forwarded from a different host or if you're bulk-loading archive data, you might want to change the default host value for that data.
To set the default value of the host field, you can use Manager or edit
Set the default host value using Manager
Use Manager to set the default host value for a server:
1. In Splunk Web, click on the Manager link in the upper right-hand corner of the screen.
2. In Manager, click System settings under System.
3. On the System settings page, click General settings.
4. On the General settings page, scroll down to the Index settings section and change the Default host name.
5. Save your changes.
This sets the default value of the host field for all events coming into that Splunk instance. You can override the value for invidividual sources or events, as described later in this chapter.
Set the default host value using inputs.conf
The default host assignment is set in inputs.conf during Splunk installation. You can modify the host value by editing that file in
$SPLUNK_HOME/etc/system/local/ or in your own custom application directory in
Splunk places the host assignment in the
This is the format of the default host assignment in
[default] host = <string>
<string> to your chosen default host value.
<string> defaults to the IP address or domain name of the host where the data originated.
Warning: Do not put quotes around the
Restart Splunk to enable any changes you make to
Note: By default, the
host attribute is set to the variable
$decideOnStartup, which means that it's set to the hostname of the machine
splunkd is running on. The value is re-interpreted each time
splunkd starts up.
Override the default host value for data received from a specific input
If you are running Splunk on a central log archive, or you are working with files forwarded from other hosts in your environment, you might need to override the default host assignment for events coming from particular inputs.
There are two methods for assigning a host value to data received through a particular input. You can define a static host value for all data coming through a specific input, or you can have Splunk dynamically assign a host value to a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.
For more information, see "Set a default host for an file or directory input" in this manual.
Override the default host value using event data
Some situations require you to assign host values by examining the event data. For example, If you have a central log host sending events to Splunk, you might have several host servers feeding data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event's data to determine the host value.
For more information, see "Set host values based on event data" in this manual.
Set a default host for a file or directory input
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18