Can you override host for an input?

juniormint · ‎06-19-2013

I have an input like the below. When I search for events from that input they have host=127.0.0.1. The app sending the events to the input is on the same host, so from the forwarders perspective the messages are from 127.0.0.1.

Anyway, it makes sense why I get the value that is currently there, but it is not particularly informative.

Any suggestions for how / where to override host?

Can I override it in inputs.conf? I cannot seem to find what exactly to put below (if its even possible).

excerpt from inputs.conf

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = ????

chris · ‎06-19-2013

This is possible

[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = myStaticHostValue

If there is more than one host/server sending data to your tcp port you can use a regex to get the host field from the events (if the host is logged in the event somewhere which is probably not the case for standard log4j logs) you have to configure this in props.conf & transforms.conf (you create those files in $SPLUNK_HOME/etc/system/local:

props.conf

 [source::mysource]
TRANSFORMS-ho=hostoverride

transforms.conf (>> info about transforms.conf)

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

Can you override host for an input?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?