Getting Data In

Can you override host for an input?

juniormint
Communicator

I have an input like the below. When I search for events from that input they have host=127.0.0.1. The app sending the events to the input is on the same host, so from the forwarders perspective the messages are from 127.0.0.1.

Anyway, it makes sense why I get the value that is currently there, but it is not particularly informative.

Any suggestions for how / where to override host?

Can I override it in inputs.conf? I cannot seem to find what exactly to put below (if its even possible).

excerpt from inputs.conf

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = ????

0 Karma

chris
Motivator

This is possible

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = myStaticHostValue

If there is more than one host/server sending data to your tcp port you can use a regex to get the host field from the events (if the host is logged in the event somewhere which is probably not the case for standard log4j logs) you have to configure this in props.conf & transforms.conf (you create those files in $SPLUNK_HOME/etc/system/local:

props.conf

 [source::mysource]
TRANSFORMS-ho=hostoverride

transforms.conf (>> info about transforms.conf)

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...