I am trying to use a host name in the stanza [udp://foo.514] but the name is not taking, on the same subject if I have [udp://514] hostname = foo
this is ignored?
Is this just because I am using udp instead of tcp?
There are a few places the host value may be set.
Is your inputs.conf on the indexer?
Beyond inputs.conf, host values can also be set using props.conf & transforms.conf.
You can extract the host value from the syslog message too.
.#* .# TCP: .#*
[tcp://:] .* Configure Splunk to listen on a specific port. .* If a connection is made from , this stanza is used to configure the input. .* If is blank, this stanza matches all connections on the specified port.
.#* .# UDP: .#*
[udp://] .* Similar to TCP, except that it listens on a UDP port.
all options that work for TCP should work for UDP as well. I believe your syntax might be a bit off though. Check the config file instructions:
.# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. .# All data is assigned the host "webhead-1", the sourcetype "access_common" and the .# the source "//10.1.1.10/var/log/apache/access.log."
[tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log
Lastly, if you actually want to see it being indexed as host = foo instead of host = 22.214.171.124 you need to set the flag connection_host = none
Correct. It does not work with UDP, since there are no "connections" on a UDP port. However, I am not certain that this would do what you might be thinking it does. Please elaborate on what you would like this setting to actually do.