Getting Data In

Is it possible to use an indexer's IP address for output on universal forwarder, but display the host name on the indexer?

splunkmasterfle
Path Finder

Hi,

Is there a way to use the IP address of the indexer on the universal forwarder but have the name of the host displayed on the indexer ??

Here is my configuration :

[tcpout]
defaultGroup = indexer-group

[tcpout:indexer-group]
maxQueueSize = auto
server = 172.44.23.114:9997

[tcpout-server://172.44.23.114:9997]

Meaning that on my index it would show "prod-log-server" (the hostname) instead of 172.44.23.114

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The indexer address used in outputs.conf is unrelated to any hosts set in inputs.conf (or overridden in transforms.conf... so yes, there is a way - nothing's in your way in fact.

Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...