Is this possible to get source which sending the data or IP of the source. If it possible.
Thanks
While there are some use cases where you can have a host field set to a particular metadata value in case it's not specified with the event (as has been already said in this thread) it works by injecting the extracted metadata into one of the standard fields. In general there is no way to retain additional metadata with the event so if the sender specifies the host explicitly (and it's thus not generated by the input) Splunk has no way of keeping track of source ip/hostnames.
The same in fact goes for any other input. If you're receiving data on a network port, unless you capture the source ip in host field (which might get extracted and overwritten later from the message body) you have no way of knowing the source address (that's one of the advantages of custom syslog receiving mechanisms.
As mentioned before see the inputs.conf for the HEC stanza: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Inputsconf#http:_.28HTTP_Event_Collector.29
You can set at the event level (which is the way that takes precedence) or you could set using connection host.
In the configuration of your HTTP Event Collector (HEC) token you can set how it handles the connection host.
I don't think this is in the GUI, so you might have to edit your inputs.conf file containing your HEC-related stanzas to set the connection_host property to get your desired behavior:
connection_host = [ip|dns|proxied_ip|none] * Specifies the host if an event doesn't have a host set. * "ip" sets the host to the IP address of the system sending the data. * "dns" sets the host to the reverse DNS entry for IP address of the system that sends the data. For this to work correctly, set the forward DNS lookup to match the reverse DNS lookup in your DNS configuration. * "proxied_ip" checks whether an X-Forwarded-For header was sent (presumably by a proxy server) and if so, sets the host to that value. Otherwise, the IP address of the system sending the data is used. * "none" leaves the host as specified in the HTTP header. * No default.