Re: Set Host Field for Inputs

David16 · ‎03-15-2018

Hello,

I am pulling data from two separate Azure instances and I need a way to differentiate the logs between the indexes. I don't want to put the data in separate indexes, and the source is the Microsoft API for both environments. Is there a way to manually set the host field for each input? I checked the splunk_ta_ms_o365_client_management_api_inputs.conf (and other confs) and I didn't see an option to set the host value.

Thank you.

deepashri_123 · ‎04-09-2018

Hey@David16,

You can refer this doc:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Setadefaulthostforaninput

Let me know if this helps!!

jp_elizabeth · ‎03-16-2018

Hello, have you tried differentiating by using the OrganiszationId Field? This should be different for each tenant that you're pulling data from.

David16 · ‎03-16-2018

I thought of that, but I don't see the organization ID in every event.

jp_elizabeth · ‎03-16-2018

Just to clarify, the events that don't have organization ID, are they from the o365 management API as well or is that including storage table and storage blob?

if you run the below search how many API sources does it return?

index=(your index) sourcetype=(microsoft api) | rex field=source "/(?.*)/activity" | stats count by apisource

Set Host Field for Inputs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation