Can you override host for an input?

juniormint · ‎06-19-2013

I have an input like the below. When I search for events from that input they have host=127.0.0.1. The app sending the events to the input is on the same host, so from the forwarders perspective the messages are from 127.0.0.1.

Anyway, it makes sense why I get the value that is currently there, but it is not particularly informative.

Any suggestions for how / where to override host?

Can I override it in inputs.conf? I cannot seem to find what exactly to put below (if its even possible).

excerpt from inputs.conf

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = ????

chris · ‎06-19-2013

This is possible

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = myStaticHostValue

If there is more than one host/server sending data to your tcp port you can use a regex to get the host field from the events (if the host is logged in the event somewhere which is probably not the case for standard log4j logs) you have to configure this in props.conf & transforms.conf (you create those files in $SPLUNK_HOME/etc/system/local:

props.conf

 [source::mysource]
TRANSFORMS-ho=hostoverride

transforms.conf (>> info about transforms.conf)

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

Can you override host for an input?

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!