Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure HTTP Event collector to log clien...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mbintz
Explorer
02-08-2016
04:07 PM
My team has a growing interest in looking at geo location as a function of client IP address. I've installed a plugin to help with this, but I was a bit stunned to realize that none of my HEC records have the client's IP address (or the source IP) in them.
Is there a way to configure Splunk so that it records the client IP in the record metadata? I would like the server to obtain this information from the HTTP connection rather than have the clients report this information voluntarily since most of my clients won't know their actual WAN IP address (they're behind firewalls).
I see that my HEC records have "splunk_server" in them which is kinda' funny since (it seems to me) that Splunkers would be far more interested in the ORIGIN of the record rather than DESTINATION of the record.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gblock_splunk
Splunk Employee
02-08-2016
04:40 PM
Hi @mbintz
Great to hear you are using HEC. By default the host will be the host set to the server host. To change this you can set the connection_host setting in etc\apps\splunk_httpinput\inputs.conf. It will allow you to select to use the client IP. You can set this either globally at the [http] stanza level or for each individual token within the token stanza.
Here is the setting from inputs.conf.spec
connection_host = [ip|dns|none]
* Specify the host if an event doesn't have host set.
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in the HTTP header.
The default is none.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gblock_splunk
Splunk Employee
02-08-2016
04:40 PM
Hi @mbintz
Great to hear you are using HEC. By default the host will be the host set to the server host. To change this you can set the connection_host setting in etc\apps\splunk_httpinput\inputs.conf. It will allow you to select to use the client IP. You can set this either globally at the [http] stanza level or for each individual token within the token stanza.
Here is the setting from inputs.conf.spec
connection_host = [ip|dns|none]
* Specify the host if an event doesn't have host set.
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in the HTTP header.
The default is none.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Akeydel
Explorer
02-26-2025
12:37 PM
I have been receiving HTTP Events from an invalid token, and want to trace them back to the source.
However, the HEC is behind an NGINX load-balancer, so I need to configure the HEC to use proxied_ip to find the original IP.
connection_host = [ip|dns|proxied_ip|none] * "proxied_ip" checks whether an X-Forwarded-For header was sent (presumably by a proxy server) and if so, sets the host to that value. Otherwise, the IP address of the system sending the data is used. * No default.
I would also like to apply it to every token, as all HEC ingest goes through the LB.
However, it looks like this option is only available at a per-token level.
HTTP Event Collector (HEC) - Local stanza for each token | inputs.conf
Nothing changed when I set it under [http]
Seems like this was implemented incorrectly...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mbintz
Explorer
02-09-2016
07:52 AM
The per-token settings sounds perfect. It'd be great if that were settable in the GUI.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gblock_splunk
Splunk Employee
02-09-2016
08:02 AM
Good suggestion, I will file it.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
catalina4
Observer
01-26-2023
01:20 PM
Was this feature added onto the UI?
Get Updates on the Splunk Community!
Enhance Your Splunk App Development: New Tools & Support
UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
