Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I control or force the hostname to be a specific value via inputs.conf?

AK_Splunk
Explorer
‎03-29-2023 07:54 PM

How can I control or force the hostname to be a specific value via inputs.conf?

Inputs.conf stanza

[monitor:///var/log/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

[monitor:///var/adm/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

[monitor:///etc/*]
disabled = 0
index = test_data
host = hostname1,hostname2,hostname3,hostname4

I have tried multiple solution

Case 1--> added host_regex=<regular expression>  this did not work.
Case 2 --> added host= hostname1,hostname2,hostname3,hostname4 ---> this worked for some log file path like .var/log/message host = hostname1 and for some log file path like /var/log/dnf.log I am getting hostname=hostname1,hostname2,hostname3,hostname4
Case 3 --> I tried utilizing the feature where inputs.conf looks like below. But I can not implement this as a solution as the app will be pushed from DS to all UF respectively hence hardcoding using default setting can not be done in my case.
inputs.conf

[default]
host = <hostname1>

[monitor:///var/log/*]
disabled = 0
index = test_data

[monitor:///var/adm/*]
disabled = 0
index = test_data

[monitor:///etc/*]
disabled = 0
index = test_data

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2023 12:00 AM

Hi @AK_Splunk,

let me understand: where do you whould take the hostname value to associate to an event, from a path segment or from the UF hostname, or a part of the log itself, or where else?

Anyway, using the "host" option in inputs.conf, you can assign one fixed value to the host field.

You can also extract the host field from the path of the file or from a part of the name.

outside inputs.conf (using props.conf and transforms.conf on Heavy Forwarders or Indexers), you can also extract the host from the content of the event overriding the default value.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...