Change a sourcetypes 'host' field to read from the...

robnewman666 · ‎11-05-2020

I have a feed that has the host field defaulting to what is essentially the sourcetype, but in the shost field I have all the host data that I want/need in the host field. I want to know what is easier and won't break any of the splunk system configs for the built in host name extraction. Is it better to create a FIELDALIAS to have shost AS host in the props.conf for that dataset or to do something different like a transforms.conf?

isoutamo · ‎11-05-2020

Probably I don’t get what you are meaning, but as host field is one of those indexed fields I prefer to put the real host there.

inventsekar · ‎11-05-2020

Hi @robnewman666 i think, as you said, FIELDALIAS is better for this situation..

documentation reference:

https://docs.splunk.com/Documentation/Splunk/8.1.0/Knowledge/Configurefieldaliaseswithprops.conf

Change a sourcetypes 'host' field to read from the 'shost' field instead.

index

props.conf

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation