https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327320#M97469 <P>Hi kiran331, You'll have to added a transform specification to the props config on the source or sourcetype. The transform could have a REGEX set to something like:</P> <PRE><CODE>mail\.text\.([^\.]+\.[^\.])\.iphmx\.com </CODE></PRE> <P>Taking the config from another answer: <A href="https://answers.splunk.com/answers/91933/can-you-override-host-for-an-input.html">https://answers.splunk.com/answers/91933/can-you-override-host-for-an-input.html</A></P> <PRE><CODE>#props [source::mysource] TRANSFORMS-ho=hostoverride #transforms [hostoverride] DEST_KEY = MetaData:Host REGEX = mail\.text\.([^\.]+\.[^\.])\.iphmx\.com FORMAT = host::$1 </CODE></PRE> <P>You might need to adjust the source specification in props (your source probably isn't named "mysource"), and the regex might need adjusting as well to be more generic depending if you have different patterns for the hostnames in the source.</P> <P>This config will need to be set on the indexer, or whatever splunk instance does the processing pipeline on the events. </P> <P>Please let me know if this answers your question! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Thu, 13 Apr 2017 16:09:08 GMT muebel 2017-04-13T16:09:08Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327319#M97468 <P>Hi,</P> <P>I have the syslogs coming from 4 consoles in to single path, how to extract the hostnames in inputs.conf file?</P> <P>log names;</P> <P><A href="mailto:mail.text.esa1.abc.iphmx.com.@20170413T093916.s">mail.text.esa1.abc.iphmx.com.@20170413T093916.s</A><BR /> <A href="mailto:mail.text.esa2.abc.iphmx.com.@20170413T093916.s">mail.text.esa2.abc.iphmx.com.@20170413T093916.s</A><BR /> <A href="mailto:mail.text.esa3.abc.iphmx.com.@20170413T093916.s">mail.text.esa3.abc.iphmx.com.@20170413T093916.s</A><BR /> <A href="mailto:mail.text.esa4.abc.iphmx.com.@20170413T093916.s">mail.text.esa4.abc.iphmx.com.@20170413T093916.s</A></P> <P>required hostnames:<BR /> esa1.abc<BR /> esa2.abc<BR /> esa3.abc<BR /> esa4.abc</P> Thu, 13 Apr 2017 15:10:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327319#M97468 kiran331 2017-04-13T15:10:51Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327320#M97469 <P>Hi kiran331, You'll have to added a transform specification to the props config on the source or sourcetype. The transform could have a REGEX set to something like:</P> <PRE><CODE>mail\.text\.([^\.]+\.[^\.])\.iphmx\.com </CODE></PRE> <P>Taking the config from another answer: <A href="https://answers.splunk.com/answers/91933/can-you-override-host-for-an-input.html">https://answers.splunk.com/answers/91933/can-you-override-host-for-an-input.html</A></P> <PRE><CODE>#props [source::mysource] TRANSFORMS-ho=hostoverride #transforms [hostoverride] DEST_KEY = MetaData:Host REGEX = mail\.text\.([^\.]+\.[^\.])\.iphmx\.com FORMAT = host::$1 </CODE></PRE> <P>You might need to adjust the source specification in props (your source probably isn't named "mysource"), and the regex might need adjusting as well to be more generic depending if you have different patterns for the hostnames in the source.</P> <P>This config will need to be set on the indexer, or whatever splunk instance does the processing pipeline on the events. </P> <P>Please let me know if this answers your question! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Thu, 13 Apr 2017 16:09:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327320#M97469 muebel 2017-04-13T16:09:08Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327321#M97470 <P>I tried this one, it dint worked. Do I have to mention anything under host= in inputs.conf?</P> Thu, 13 Apr 2017 21:48:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327321#M97470 kiran331 2017-04-13T21:48:33Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327322#M97471 <P>I think a + was missed in extracting expression:</P> <PRE><CODE>^mail\.text\.([^\.]+\.[^\.]+)\.iphmx\.com </CODE></PRE> <P>Following is the documentation for your use case with example: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments#Example">http://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments#Example</A></P> Fri, 14 Apr 2017 05:39:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-hostname-from-the-logs/m-p/327322#M97471 niketn 2017-04-14T05:39:19Z