Splunk Cloud

Getting Data In

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Set a default host for a Splunk instance

An event host value is the IP address, host name, or fully qualified domain name of the physical device on the network from which the event originates. Because Splunk software assigns a host value at index time for every event it indexes, host value searches enable you to easily find data originating from a specific device.

Default host assignment

If you have not specified other host rules for a source (using the information in subsequent topics in this chapter), the default host value for an event is the hostname or IP address of the server running the Splunk instance (forwarder or indexer) consuming the event data. When the event originates on the server on which the Splunk instance is running, that host assignment is correct and there's no need to change anything. However, if all your data is being forwarded from a different host or if you're bulk-loading archive data, you might want to change the default host value for that data.

To set the default value of the host field, you can use Splunk Web or edit inputs.conf on your forwarder.

Set the default host value using Splunk Web

1. In Splunk Web, click Settings.

3. On the Settings page, click General settings.

4. On the General settings page, scroll down to the Index settings section and change the Default host name.

5. Save your changes.

This sets the default value of the host field for all events coming into that Splunk instance. You can override the value for invidividual sources or events, as described later in this chapter.

Override the default host value for data received from a specific input

If you are working with files forwarded from other hosts in your environment, you might need to override the default host assignment for events coming from particular inputs.

There are two methods for assigning a host value to data received through a particular input. You can define a static host value for all data coming through a specific input, or you can dynamically assign a host value to a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.

For more information, see Set a default host for an file or directory input in this manual.

Override the default host value using event data

Some situations require you to assign host values by examining the event data. For example, If you have a central log host sending events to your Splunk deployment, you might have several host servers feeding data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event's data to determine the host value.

For more information, see Set host values based on event data in this manual.

Last modified on 15 February, 2020
PREVIOUS
About hosts 		  NEXT
Set a default host for a file or directory input

This documentation applies to the following versions of Splunk Cloud: 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters