Security

how to change host value of the field in splunk web?

cebo_myeza
Path Finder

The value of my host is localhost.localdomain and i want to replace the value with an IP address of my Network Switch, so that i can search using host "ip address".

Thanks

0 Karma

jpvlsmv
Path Finder

In inputs.conf, set a host= value:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=192.168.1.254

--Joe

esix_splunk
Splunk Employee
Splunk Employee

There are a few approaches to this, best practices would be to configure your syslog server to drop all hosts in their own folders. E.g.;

/mylogs/routers/%HOSTIP%/%hostIP%.log

From there, you can have either a wildcard monitor, or specific for each input. Along with this, use the host_segment directive in the monitor stanza:

[monitor:///mylogs/routers/*/*.log]
sourcetype = mysourcetype
host_segment = 3

Props.conf : http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Inputsconf

0 Karma

cebo_myeza
Path Finder

Thanks Joe for your time

i have i more question thou, as i want to monitor more than 100 network switches each under the same sourcetype but each switch obviously has unique host ip address is it possible to do like this below:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=172.17.101.8
host=172.17.101.7
host=172.17.101.9
...

Thanks

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You would have to deploy one inputs.conf per switch with one host setting each.

...are you even deploying this to the switch, or are you running a forwarder on a central syslog server that gets data from all switches?

0 Karma

cebo_myeza
Path Finder

i am running a full splunk enterprise in a linux server that get logs from all switches.

can you please elaborate more on your first line i dont understand it.

thanks martin

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You'll need to change the host field in inputs.conf at your data's source to get future events indexed with a host value you like.

0 Karma

cebo_myeza
Path Finder

i only see this inside my inputs.conf

...

[monitor: ///var/log/H3C/information]
disabled = false
sourcetype = syslog_wisdom

And i dont see any host value or do i have to just add the line like below after sourcetype...

host = 192.168.1.254

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If it's not already there you can just add it, yes.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!