Security

how to change host value of the field in splunk web?

cebo_myeza
Path Finder

The value of my host is localhost.localdomain and i want to replace the value with an IP address of my Network Switch, so that i can search using host "ip address".

Thanks

0 Karma

jpvlsmv
Path Finder

In inputs.conf, set a host= value:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=192.168.1.254

--Joe

esix_splunk
Splunk Employee
Splunk Employee

There are a few approaches to this, best practices would be to configure your syslog server to drop all hosts in their own folders. E.g.;

/mylogs/routers/%HOSTIP%/%hostIP%.log

From there, you can have either a wildcard monitor, or specific for each input. Along with this, use the host_segment directive in the monitor stanza:

[monitor:///mylogs/routers/*/*.log]
sourcetype = mysourcetype
host_segment = 3

Props.conf : http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Inputsconf

0 Karma

cebo_myeza
Path Finder

Thanks Joe for your time

i have i more question thou, as i want to monitor more than 100 network switches each under the same sourcetype but each switch obviously has unique host ip address is it possible to do like this below:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=172.17.101.8
host=172.17.101.7
host=172.17.101.9
...

Thanks

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You would have to deploy one inputs.conf per switch with one host setting each.

...are you even deploying this to the switch, or are you running a forwarder on a central syslog server that gets data from all switches?

0 Karma

cebo_myeza
Path Finder

i am running a full splunk enterprise in a linux server that get logs from all switches.

can you please elaborate more on your first line i dont understand it.

thanks martin

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You'll need to change the host field in inputs.conf at your data's source to get future events indexed with a host value you like.

0 Karma

cebo_myeza
Path Finder

i only see this inside my inputs.conf

...

[monitor: ///var/log/H3C/information]
disabled = false
sourcetype = syslog_wisdom

And i dont see any host value or do i have to just add the line like below after sourcetype...

host = 192.168.1.254

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If it's not already there you can just add it, yes.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...