Deployment Architecture

Can we change the host name of the forwarder before indexing?


We have 100 hosts and for all these hosts we want to append a keyword to the host name. for example, hostnames are TEST1, TEST2 and TEST3 and we want to add a keyword called APP, so the final host's name will be like APPTEST1, APPTEST2 and APPTEST3. Can we do this at UF level?

Note- we don't want to do this based on source and source type at HF level because of the default source and source types.

Labels (1)
0 Karma


UF does only simple ingestion and generally does not modify the events. You can set your metadata to a static value but not calculate it dynamicaly.

Your non-splunk solution would be to use a third-party provisioning software (like ansible, chef or puppet) to prepare your UF configs dynamically so that the host setting at the UF level or even a single input is set to this dynamic value.

Alternatively, you can do an index-time rewrite of your metadata with a transform similar to what @gcusello presented, just tied to a group of hosts with a matching pattern - see

0 Karma


Hi @Splunksc,

you have two choices:

  • force hostname at Forwarder level, but it's complicated is you have many forwarders.
  • Otherwise the only solution is to override host value on event basis on the Heavy Forwarder.

There's also a workaround: you could create a calculated field that override the host vale at search time, not at index time.

the easiest solution is the override the host value when you encounter one of the hosts that you don't want:

on props.conf (of Heavy Forwarder:

TRANSFORMS-override_host = override_host
TRANSFORMS-override_host = override_host
TRANSFORMS-override_host = override_host
TRANSFORMS-override_host = override_host

on transforms.conf on Heavy Forwarder:

SOURCE_KEY = MetaData:Host
REGEX = .*
FORMAT = host::APP$1
DEST_KEY = MetaData:Host



0 Karma


We have N number of host , so we cannot use the static host with props.conf

we need something dynamic.  Also we should consider the default source type like winhost.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...