Archive

Host name in inputs.conf file

Engager

I am trying to use a host name in the stanza [udp://foo.514] but the name is not taking, on the same subject if I have [udp://514] hostname = foo

this is ignored?

Is this just because I am using udp instead of tcp?

Splunk Employee
Splunk Employee

Correct. It does not work with UDP, since there are no "connections" on a UDP port. However, I am not certain that this would do what you might be thinking it does. Please elaborate on what you would like this setting to actually do.

Splunk Employee
Splunk Employee

.#* .# TCP: .#*

[tcp://:] .* Configure Splunk to listen on a specific port. .* If a connection is made from , this stanza is used to configure the input. .* If is blank, this stanza matches all connections on the specified port.

.#* .# UDP: .#*

[udp://] .* Similar to TCP, except that it listens on a UDP port.

all options that work for TCP should work for UDP as well. I believe your syntax might be a bit off though. Check the config file instructions:

.# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. .# All data is assigned the host "webhead-1", the sourcetype "access_common" and the .# the source "//10.1.1.10/var/log/apache/access.log."

[tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log

  • need to use foo:514
  • need to use host = foo

Lastly, if you actually want to see it being indexed as host = foo instead of host = 1.2.3.4 you need to set the flag connection_host = none

.gz

0 Karma

Splunk Employee
Splunk Employee

There are a few places the host value may be set.
Is your inputs.conf on the indexer?

Beyond inputs.conf, host values can also be set using props.conf & transforms.conf.
You can extract the host value from the syslog message too.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!