Change a sourcetypes 'host' field to read from the...

robnewman666 · ‎11-05-2020

I have a feed that has the host field defaulting to what is essentially the sourcetype, but in the shost field I have all the host data that I want/need in the host field. I want to know what is easier and won't break any of the splunk system configs for the built in host name extraction. Is it better to create a FIELDALIAS to have shost AS host in the props.conf for that dataset or to do something different like a transforms.conf?

isoutamo · ‎11-05-2020

Probably I don’t get what you are meaning, but as host field is one of those indexed fields I prefer to put the real host there.

inventsekar · ‎11-05-2020

Hi @robnewman666 i think, as you said, FIELDALIAS is better for this situation..

documentation reference:

https://docs.splunk.com/Documentation/Splunk/8.1.0/Knowledge/Configurefieldaliaseswithprops.conf

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Change a sourcetypes 'host' field to read from the 'shost' field instead.

index

props.conf

transforms.conf

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation