Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I find what host sending event to Splunk using HTTP event collector?

karu0711
Communicator
‎10-27-2023 10:14 AM

Is this possible to get source which sending the data or IP of the source. If it possible.

Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-28-2023 12:36 AM

While there are some use cases where you can have a host field set to a particular metadata value in case it's not specified with the event (as has been already said in this thread) it works by injecting the extracted metadata into one of the standard fields. In general there is no way to retain additional metadata with the event so if the sender specifies the host explicitly (and it's thus not generated by the input) Splunk has no way of keeping track of source ip/hostnames.

The same in fact goes for any other input. If you're receiving data on a network port, unless you capture the source ip in host field (which might get extracted and overwritten later from the message body) you have no way of knowing the source address (that's one of the advantages of custom syslog receiving mechanisms.

0 Karma
Reply

enzomialich
Path Finder
‎10-27-2023 07:28 PM

As mentioned before see the inputs.conf for the HEC stanza: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Inputsconf#http:_.28HTTP_Event_Collector.29

You can set at the event level (which is the way that takes precedence) or you could set using connection host.

0 Karma
Reply

_JP
Contributor
‎10-27-2023 10:27 AM

In the configuration of your HTTP Event Collector (HEC) token you can set how it handles the connection host.

 

I don't think this is in the GUI, so you might have to edit your inputs.conf file containing your HEC-related stanzas to set the connection_host property to get your desired behavior:

 

connection_host = [ip|dns|proxied_ip|none]
* Specifies the host if an event doesn't have a host set.
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
  that sends the data. For this to work correctly, set the forward DNS lookup
  to match the reverse DNS lookup in your DNS configuration.
* "proxied_ip" checks whether an X-Forwarded-For header was sent
  (presumably by a proxy server) and if so, sets the host to that value.
  Otherwise, the IP address of the system sending the data is used.
* "none" leaves the host as specified in the HTTP header.
* No default.


 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...