Host name in inputs.conf file

skibum · ‎05-21-2010

I am trying to use a host name in the stanza [udp://foo.514] but the name is not taking, on the same subject if I have [udp://514] hostname = foo

this is ignored?

Is this just because I am using udp instead of tcp?

gkanapathy · ‎05-22-2010

Correct. It does not work with UDP, since there are no "connections" on a UDP port. However, I am not certain that this would do what you might be thinking it does. Please elaborate on what you would like this setting to actually do.

Genti · ‎05-21-2010

.#* .# TCP: .#*

[tcp://:] .* Configure Splunk to listen on a specific port. .* If a connection is made from , this stanza is used to configure the input. .* If is blank, this stanza matches all connections on the specified port.

.#* .# UDP: .#*

[udp://] .* Similar to TCP, except that it listens on a UDP port.

all options that work for TCP should work for UDP as well. I believe your syntax might be a bit off though. Check the config file instructions:

.# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. .# All data is assigned the host "webhead-1", the sourcetype "access_common" and the .# the source "//10.1.1.10/var/log/apache/access.log."

[tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log

need to use foo:514
need to use host = foo

Lastly, if you actually want to see it being indexed as host = foo instead of host = 1.2.3.4 you need to set the flag connection_host = none

.gz

bwooden · ‎05-21-2010

There are a few places the host value may be set.
Is your inputs.conf on the indexer?

Beyond inputs.conf, host values can also be set using props.conf & transforms.conf.
You can extract the host value from the syslog message too.

Host name in inputs.conf file

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor