Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

About hosts

The host field value of an event is the name of the physical device from which the event originates. Because the host field value is a default field, which means that assigns a host to every event it indexes, you can use it to search for all events that have been generated by a particular host.

The host value is typically the hostname, IP address, or fully qualified domain name of the networked machine on which the event originated.

Both Splunk Cloud Platform and Splunk Enterprise assign host names at index time, but whereas you can configure host assignment directly on a Splunk Enterprise instance, you must do this configuration on a universal or heavy forwarder for Splunk Cloud Platform.

How determines the host value

assigns a host value to each event by examining settings in the following order and using the first host setting it encounters:

  1. Any event-specific host assignment that you specify in the transforms.conf configuration file. For Splunk Cloud Platform, you must use a heavy forwarder to assign host names through events.
  2. The default host value for the input that created the event, if any.
  3. The default host value for the indexer or forwarder that initially ingests the data.

The default host value

If you don't specify host rules for a source, assigns the host field a default value that applies to all data coming into the instance from any input. The default host value is the hostname or IP address of the indexer or forwarder that initially ingests the data. When Splunk Enterprise or, in the case of Splunk Cloud Platform, the heavy forwarder, runs on the server where the event occurred, the behavior is correct and requires no manual intervention.

For more information, see Set a default host for a Splunk platform instance.

The default host for a file or directory input

If you run Splunk Cloud Platform, Splunk Enterprise on a central log archive, or you work with files that are forwarded from other machines in your environment, you might need to override the default host assignment for events that come from particular inputs.

There are two methods for assigning a host value to data that's received through a particular input: You can define a static host value for all data that comes through a specific input, or you can have the Splunk platform dynamically assign a host value to a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.

For more information, see Set a default host for a file or directory input.

Event-specific assignments

Some situations require that you assign host values by examining the event data. For example, if you have a central log host sending events to a Splunk Enterprise deployment, you might have several machines that feed data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event data to determine the host value.

For more information, see Set host values based on event data.

Handle incorrectly assigned host values

If your event data gets tagged with the wrong host value, there are a number of ways to either fix or work around the problem. See Change host values after indexing for fixes to the most common scenarios.

Tag host values

You can tag host values to aid in the execution of robust searches. Tags let you cluster groups of hosts into useful, searchable categories.

For details, see About tags and aliases in the Splunk Enterprise Knowledge Manager Manual.

Last modified on 27 October, 2021
Process events with ingest-time eval
Set a default host for a Splunk instance

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.3, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1, 8.0.2, 8.0.4, 8.0.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters