Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I control or force the hostname to be a specific value via inputs.conf?

AK_Splunk
Explorer
‎03-29-2023 07:54 PM

How can I control or force the hostname to be a specific value via inputs.conf?

Inputs.conf stanza

[monitor:///var/log/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

[monitor:///var/adm/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

[monitor:///etc/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

I have tried multiple solution

Case 1--> added host_regex=<regular expression>  this did not work.
Case 2 --> added host= hostname1,hostname2,hostname3,hostname4 ---> this worked for some log file path like .var/log/message host = hostname1 and for some log file path like /var/log/dnf.log I am getting hostname=hostname1,hostname2,hostname3,hostname4
Case 3 --> I tried utilizing the feature where inputs.conf looks like below. But I can not implement this as a solution as the app will be pushed from DS to all UF respectively hence hardcoding using default setting can not be done in my case.
inputs.conf

[default]
host = <hostname1>

[monitor:///var/log/*]
disabled = 0
index = test_data

[monitor:///var/adm/*]
disabled = 0
index = test_data

[monitor:///etc/*]
disabled = 0
index = test_data

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2023 12:00 AM

Hi @AK_Splunk,

let me understand: where do you whould take the hostname value to associate to an event, from a path segment or from the UF hostname, or a part of the log itself, or where else?

Anyway, using the "host" option in inputs.conf, you can assign one fixed value to the host field.

You can also extract the host field from the path of the file or from a part of the name.

outside inputs.conf (using props.conf and transforms.conf on Heavy Forwarders or Indexers), you can also extract the host from the content of the event overriding the default value.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...