Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I control or force the hostname to be a specific value via inputs.conf?

AK_Splunk
Explorer
‎03-29-2023 07:54 PM

How can I control or force the hostname to be a specific value via inputs.conf?

Inputs.conf stanza

[monitor:///var/log/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

[monitor:///var/adm/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

[monitor:///etc/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

I have tried multiple solution

Case 1--> added host_regex=<regular expression>  this did not work.
Case 2 --> added host= hostname1,hostname2,hostname3,hostname4 ---> this worked for some log file path like .var/log/message host = hostname1 and for some log file path like /var/log/dnf.log I am getting hostname=hostname1,hostname2,hostname3,hostname4
Case 3 --> I tried utilizing the feature where inputs.conf looks like below. But I can not implement this as a solution as the app will be pushed from DS to all UF respectively hence hardcoding using default setting can not be done in my case.
inputs.conf

[default]
host = <hostname1>

[monitor:///var/log/*]
disabled = 0
index = test_data

[monitor:///var/adm/*]
disabled = 0
index = test_data

[monitor:///etc/*]
disabled = 0
index = test_data

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2023 12:00 AM

Hi @AK_Splunk,

let me understand: where do you whould take the hostname value to associate to an event, from a path segment or from the UF hostname, or a part of the log itself, or where else?

Anyway, using the "host" option in inputs.conf, you can assign one fixed value to the host field.

You can also extract the host field from the path of the file or from a part of the name.

outside inputs.conf (using props.conf and transforms.conf on Heavy Forwarders or Indexers), you can also extract the host from the content of the event overriding the default value.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...