How to get segregated hostname from logs coming onto Heavy forwarder on single syslog 515 port into splunk


I am trying to integrate few servers into Splunk. The servers send syslog data only. Earlier I was having two servers(log sources), so I made the input traffic to come on port 514 and 515 . I used two port to get two host names in the logs. But now the servers count is about 5 servers and I dont feel like giving another 5 separate ports to this 5 servers for getting different host name.

I want to use single port say port 514 as input to my HF for n number of server, and get the n distinguish HOSTs. Can I anyone suggest how can I acheive this in splunk.

Tags (1)
0 Karma


Hi @ dikshaj,
if you want to ingest syslogs from only a set of servers, you have to follo indications of @nickhills.
If instead you want to ingest syslogs from all the servers, the easiest way to ingest syslogs from different servers is to receive all of them on the same port and then override host value using a regex.
In other words, on Heavy Forwarder you have to add a props.conf stanza (located in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/) like this:

TRANSFORMS-override_host = override_host

and in a transforms.conf stanza:

REGEX = <your_regex>
FORMAT = host::$1
DEST_KEY = MetaData:Host

Usually syslogs of all servers have hostname after the timestamp and/or IP address, to be more sure check this regex (if you want share an example and I can help).
For more infos see at .


0 Karma


Could you not use Rsyslog - if I understand the question - you want the syslog to create unique host information ?

$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

Then apply this template to messages coming from remote hosts :

$RuleSet remote
. ?RemoteHost

Then have Splunk then monitor the entire /var/syslog/hosts/

0 Karma

Ultra Champion

Take a look here:

Specifically "Specify input settings"

If you are configuring using inputs.conf you should add:

connection_host = ip | dns | none 

"ip" sets the host to the IP address of the remote server.
"dns" sets the host to the DNS entry of the remote server.
"none" leaves the host as specified - ie your HF

If my comment helps, please give it a thumbs up!
0 Karma

0 Karma