Getting Data In

Can you override host for an input?

juniormint
Communicator

I have an input like the below. When I search for events from that input they have host=127.0.0.1. The app sending the events to the input is on the same host, so from the forwarders perspective the messages are from 127.0.0.1.

Anyway, it makes sense why I get the value that is currently there, but it is not particularly informative.

Any suggestions for how / where to override host?

Can I override it in inputs.conf? I cannot seem to find what exactly to put below (if its even possible).

excerpt from inputs.conf

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = ????

0 Karma

chris
Motivator

This is possible

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = myStaticHostValue

If there is more than one host/server sending data to your tcp port you can use a regex to get the host field from the events (if the host is logged in the event somewhere which is probably not the case for standard log4j logs) you have to configure this in props.conf & transforms.conf (you create those files in $SPLUNK_HOME/etc/system/local:

props.conf

 [source::mysource]
TRANSFORMS-ho=hostoverride

transforms.conf (>> info about transforms.conf)

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...