I have an input like the below. When I search for events from that input they have host=127.0.0.1. The app sending the events to the input is on the same host, so from the forwarders perspective the messages are from 127.0.0.1.
Anyway, it makes sense why I get the value that is currently there, but it is not particularly informative.
Any suggestions for how / where to override host?
Can I override it in inputs.conf? I cannot seem to find what exactly to put below (if its even possible).
excerpt from inputs.conf
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = ????
This is possible
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = myStaticHostValue
If there is more than one host/server sending data to your tcp port you can use a regex to get the host field from the events (if the host is logged in the event somewhere which is probably not the case for standard log4j logs) you have to configure this in props.conf & transforms.conf (you create those files in $SPLUNK_HOME/etc/system/local:
props.conf
[source::mysource]
TRANSFORMS-ho=hostoverride
transforms.conf (>> info about transforms.conf)
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1