Set a default host for a Splunk instance
An event host value is the IP address, host name, or fully qualified domain name of the physical device on the network from which the event originates. Because Splunk software assigns a
host value at index time for every event it indexes, host value searches enable you to easily find data originating from a specific device.
Default host assignment
If you have not specified other host rules for a source (using the information in subsequent topics in this chapter), the default host value for an event is the hostname or IP address of the server running the Splunk instance (forwarder or indexer) consuming the event data. When the event originates on the server on which the Splunk instance is running, that host assignment is correct and there's no need to change anything. However, if all your data is being forwarded from a different host or if you're bulk-loading archive data, you might want to change the default host value for that data.
To set the default value of the host field, you can use Splunk Web or edit
Set the default host value using Splunk Web
1. In Splunk Web, click Settings.
3. On the Settings page, click General settings.
4. On the General settings page, scroll down to the Index settings section and change the Default host name.
5. Save your changes.
This sets the default value of the host field for all events coming into that Splunk instance. You can override the value for invidividual sources or events, as described later in this chapter.
Set the default host value using inputs.conf
The default host assignment is set in inputs.conf during installation. You can modify the host value by editing that file in
$SPLUNK_HOME/etc/system/local/ or in your own custom application directory in
The host assignment is specified in the
This is the format of the default host assignment in
[default] host = <string>
<string> to your chosen default host value.
<string> defaults to the IP address or domain name of the host where the data originated.
Warning: Do not put quotes around the
inputs.conf, you must restart your Splunk instance to put your changes into effect.
Note: By default, the
host attribute is set to the variable
$decideOnStartup, which means that it's set to the hostname of the machine
splunkd is running on. The splunk daemon re-interprets the value each time it starts up.
Override the default host value for data received from a specific input
If you are running Splunk Enterprise on a central log archive, or you are working with files forwarded from other hosts in your environment, you might need to override the default host assignment for events coming from particular inputs.
There are two methods for assigning a host value to data received through a particular input. You can define a static host value for all data coming through a specific input, or you can dynamically assign a host value to a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.
For more information, see Set a default host for an file or directory input in this manual.
Override the default host value using event data
Some situations require you to assign host values by examining the event data. For example, If you have a central log host sending events to your Splunk deployment, you might have several host servers feeding data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event's data to determine the host value.
For more information, see Set host values based on event data in this manual.
Set a default host for a file or directory input
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!