Getting Data In

Is it possible to configure an app in Splunk to overwrite the hostname in logs sent from a universal forwarder?

New Member

Hi all,

New to Splunk here. I have configured 100 servers to send syslog data. I did this by using puppet to install the universal forwarder, and set a deployment server address to my Splunk server, then in Splunk, I built an app to send syslog data back (using inputs.conf and outputs.conf). The app gets deployed.

I now have syslog data in my Splunk install!

However, given some history on some of these servers, I am getting multiple hostnames per server. (mostly abc and

Can I configure Splunk to overwrite the hostname from the logs?

In inputs.conf I tried to add


However that did not seem to work.

0 Karma


Hi There,

Check this out, here's the answer to your question:


0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!