Related Answers
Download topic as PDF
Set host values based on event data
You can configure Splunk software to assign host names to your events based on the data in those events. This topic shows you how to use event data to override default host assignments with props.conf, transforms.conf, and regular expressions.
For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regular expressions by using them in searches with the rex search command. The Splunk community wiki also has a list of useful third-party tools for writing and testing regular expressions.
Configuration
To configure per-event overrides, you need to create two stanzas, one in transforms.conf and another in props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. If you have Splunk Cloud, edit these settings on the machines where you run the Splunk universal forwarder. For more information about configuration files in general, see About configuration files in the Admin manual.
transforms.conf
Create a stanza in transforms.conf that follows this syntax:
[<unique_stanza_name>] REGEX = <your_regex> FORMAT = host::$1 DEST_KEY = MetaData:Host
Note the following:
<unique_stanza_name>should reflect that it involves a host value. You'll use this name later in theprops.confstanza.<your_regex>is a regular expression that identifies where in the event you want to extract the host value.FORMAT = host::$1writes theREGEXvalue into thehost::field.
props.conf
Next, create a stanza in props.conf that references the transforms.conf stanza:
[<spec>] TRANSFORMS-<class> = <unique_stanza_name>
Note the following:
<spec>can be:<sourcetype>, the source type of an event.host::<host>, where<host>is the host value for an event.source::<source>, where<source>is the source value for an event.
<class>is any unique identifier that you want to give to your transform.<unique_stanza_name>is the name of the stanza you created intransforms.conf.
Example
Assume that you're starting with the following set of events from the houseness.log file. The host is in the third position ("fflanda", etc.).
41602046:53 accepted fflanda 41602050:29 accepted rhallen 41602052:17 accepted fflanda
First, create a new stanza in transforms.conf with a regular expression that extracts the host value:
[houseness] DEST_KEY = MetaData:Host REGEX = \s(\w*)$ FORMAT = host::$1
Next, reference your transforms.conf stanza in a props.conf stanza. For example:
[source::.../houseness.log] TRANSFORMS-rhallen=houseness SHOULD_LINEMERGE = false
The above stanza has the additional attribute/value pair SHOULD_LINEMERGE = false, to break events at each newline.
The events will now appear in search results like this:
|
PREVIOUS Set a default host for a file or directory input |
NEXT Change host values after indexing |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.7, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.4.11, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 6.4.6, 6.4.8
Feedback submitted, thanks!