Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Set host values based on event data

You can configure the Splunk platform to assign host names to your events based on the data in those events. You can use event data to override default assignment that the Splunk platform makes by supplying a regular expression for the event data and configuring two configuration files to determine when the platform is to override the host name for an event.

On Splunk Cloud, you must configure a heavy forwarder to perform host name assignment, then forward that data onward to your Splunk Cloud instance. This is because you cannot edit configuration files on a Splunk Cloud instance directly. On Splunk Enterprise, you can edit configuration files, either on an indexer or a heavy forwarder. You cannot use a universal forwarder in any case, because universal forwarders cannot transform data except in certain limited cases.

For a primer on regular expression syntax and usage, see Regular-Expressions.info. The Splunk community wiki also has a list of useful third-party tools for writing and testing regular expressions. You can test regular expressions by using them in searches with the rex search command.

Use configuration files to override the host name default field in events

The Splunk platform tags event data with default fields during ingestion. Creating host name overrides for events that the Splunk platform indexes involves editing two configuration files on the Splunk platform instance that collects the data, based on some of those default fields.

The first file, transforms.conf, configures the host name override by using a regular expression to determine when the instance should overwrite, or transform, the host name default field. You supply the regular expression by determining what exactly in your event data is to trigger the transformation, and then providing that regular expression to the transforms.conf file. This appears as a stanza within the file, and the Splunk platform triggers the override when incoming event data matches the regular expression that you specify.

The second file, props.conf, determines the default fields to which the host name override can apply. This appears as a stanza within the file which specifies the default fields where the Splunk platform can potentially modify the host name field for incoming events.

You can apply host name overrides to the following default fields:

  • The source, using the source::<source> keyword
  • The source type, using the sourcetype=<sourcetype> keyword
  • The host name, using the host::<host> keyword

Host name overrides occur when you specify one of these default fields in the props.conf file. The following must occur before the Splunk platform overrides the host name:

  • The host, source, or sourcetype in the incoming event data must match what you specify in the props.conf file to activate the host name override transform configuration in the transforms.conf file.
  • The event data must match the regular expression you set for the host name override transform to trigger.

The general procedure for creating a host name override follows:

  1. Review your event data to determine a string that represents when you want the Splunk platform to perform the host name override. This string becomes the regular expression you supply later in the procedure. See the example later in this topic.
  2. Review "Configure a transforms.conf stanza with a host name override transform" and "Configure a props.conf stanza to reference a host name override transform" later in this topic to understand how stanza syntax for host name overrides works.
  3. On a heavy forwarder where you want to do the host name overrides, open a text editor.
  4. With that editor, open the $SPLUNK_HOME/etc/system/local/transforms.conf file for editing.
  5. Add a stanza to this file that represents when the Splunk platform is to do the host name override.
  6. Save the transforms.conf file and close it.
  7. Open the $SPLUNK_HOME/etc/system/local/props.conf file for editing.
  8. Add a stanza to this file that represents the default fields for which the host name override is to apply.
  9. Save the props.conf file and close it.
  10. Restart the heavy forwarder.

On Splunk Enterprise, you can perform this procedure on either the instance that ingests the data, or on a heavy forwarder that sends data to the instance.


For more information about configuration files in general, see About configuration files in the Admin manual.

Configure a transforms.conf stanza with a host name override transform

The transforms.conf file controls where and how the Splunk platform transforms the incoming event data.

The host name override transformation stanza in transforms.conf uses the following syntax:

[<unique_stanza_name>]
REGEX = <your_regex>
FORMAT = host::$1
DEST_KEY = MetaData:Host

In this stanza:

  • <unique_stanza_name> can be anything, and is what you will use to refer to the transform from the props.conf configuration file. Best practice for it to reflect that it involves a host value.
  • <your_regex> is the regular expression that identifies where in the event you want to extract the host value and assign that value as the default field for that event.
  • FORMAT = host::$1 writes the REGEX value into the host:: field.

Configure a props.conf stanza to reference the host name override transform

The props.conf file references the stanza in the transforms.conf file that performs the transformation:

[<spec>]
TRANSFORMS-<class> = <unique_stanza_name>

In this stanza:

  • <spec> can be:
    • <sourcetype>, the source type of an event.
    • host::<host>, where <host> is the host value for an event.
    • source::<source>, where <source> is the source value for an event.
  • <class> is any unique identifier that you want to give to your transform.
  • <unique_stanza_name> is the name of the stanza you created in transforms.conf.

Example of host name default field overriding

Given the following set of events from the houseness.log log file. You want the Splunk platform to set the host default field for each event to the host name found within the event. The host is in the third position of each line in the log file, for example, "fflanda".

41602046:53 accepted fflanda
41602050:29 accepted rhallen
41602052:17 accepted fflanda

First, create a new stanza in the transforms.conf configuration file and provide a regular expression that extracts the host value:

[houseness]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

Next, reference the transforms.conf stanza in a stanza in the props.conf configuration file. For example:

[source::.../houseness.log]
TRANSFORMS-rhallen=houseness
SHOULD_LINEMERGE = false

This example stanza has the additional settimg/value pair SHOULD_LINEMERGE = false, to break events at each newline. This is not a requirement, but is a best practice.

The events then appear in search results like the following:

Host event.jpg

Last modified on 30 November, 2020
PREVIOUS
Set a default host for a file or directory input
  NEXT
Change host values after indexing

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 6.3.1, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0, 7.0.11, 7.0.13


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters