Set a default host for a Splunk platform instance
An event host value is the IP address, host name, or fully qualified domain name of the physical device on the network from which the event originates. Because Splunk software assigns a
host value at index time for every event it indexes, host value searches let you easily find data that originates from a specific device.
You aren't able to change the default host name on Splunk Cloud Platform. Instead, you can assign host names based on inputs, sources, and source types. Finding data from a specific device is available only on Splunk Enterprise.
Default host assignment
If you haven't specified other host rules for a source, the default host value for an event is the hostname or IP address of the machine that runs the Splunk platform instance that ingests the event data. When the event originates on the Splunk platform instance itself, that host assignment is correct and there is no need to change anything. However, if you forward your data from a different host or if you're bulk-loading archive data, you might want to change the default host value for that data.
To set the default value of the host field, you can use Splunk Web or edit the inputs.conf configuration file.
Set the default host value using Splunk Web
Follow these steps to set the default value of the host field for all events coming into that Splunk instance. You can override the value for individual sources or events.
- In Splunk Web, click Settings > Server settings.
- On the Settings page, click General settings.
- On the General settings page, scroll down to the Index settings section and change the Default host name.
- Save your changes.
Set the default host value using inputs.conf
The default host assignment is set in the inputs.conf configuration file during installation. You can modify the host value by editing that file in the $SPLUNK_HOME/etc/system/local/ directory or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information, see inputs.conf.
The host assignment setting appears in the
[default] stanza in the file.
This is the format of the default host assignment in the inputs.conf file:
[default] host = <string>
<string> value to your chosen default host value.
<string> defaults to the IP address or domain name of the host where the data originated. Don't put quotes around the
<string> value. For example, type
After you edit the inputs.conf file, restart your Splunk platform instance to put your changes into effect.
By default, the
host setting is configured to the variable
$decideOnStartup, which means that it's set to the hostname of the machine
splunkd is running on. The daemon reinterprets the value each time it starts up.
Override the default host value for data received from a specific input
If you're running Splunk Enterprise on a central log archive or you're working with files forwarded from other hosts in your environment, you might need to override the default host assignment for events coming from particular inputs.
There are two methods for assigning a host value to data received through a particular input: you can define a static host value for all data coming through a specific input, or you can dynamically assign a host value to a portion of the path or file name of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.
For more information, see Set a default host for an file or directory input.
Override the default host value using event data
Some situations require you to assign host values by examining the event data. For example, if you have a central log host sending events to your Splunk platform deployment, you might have several host servers feeding data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event's data to determine the host value.
For more information, see Set host values based on event data.
Set a default host for a file or directory input
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209 (latest FedRAMP release), 8.2.2106, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208
Feedback submitted, thanks!