Security

how to change host value of the field in splunk web?

cebo_myeza
Path Finder

The value of my host is localhost.localdomain and i want to replace the value with an IP address of my Network Switch, so that i can search using host "ip address".

Thanks

0 Karma

jpvlsmv
Path Finder

In inputs.conf, set a host= value:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=192.168.1.254

--Joe

esix_splunk
Splunk Employee
Splunk Employee

There are a few approaches to this, best practices would be to configure your syslog server to drop all hosts in their own folders. E.g.;

/mylogs/routers/%HOSTIP%/%hostIP%.log

From there, you can have either a wildcard monitor, or specific for each input. Along with this, use the host_segment directive in the monitor stanza:

[monitor:///mylogs/routers/*/*.log]
sourcetype = mysourcetype
host_segment = 3

Props.conf : http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Inputsconf

0 Karma

cebo_myeza
Path Finder

Thanks Joe for your time

i have i more question thou, as i want to monitor more than 100 network switches each under the same sourcetype but each switch obviously has unique host ip address is it possible to do like this below:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=172.17.101.8
host=172.17.101.7
host=172.17.101.9
...

Thanks

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You would have to deploy one inputs.conf per switch with one host setting each.

...are you even deploying this to the switch, or are you running a forwarder on a central syslog server that gets data from all switches?

0 Karma

cebo_myeza
Path Finder

i am running a full splunk enterprise in a linux server that get logs from all switches.

can you please elaborate more on your first line i dont understand it.

thanks martin

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You'll need to change the host field in inputs.conf at your data's source to get future events indexed with a host value you like.

0 Karma

cebo_myeza
Path Finder

i only see this inside my inputs.conf

...

[monitor: ///var/log/H3C/information]
disabled = false
sourcetype = syslog_wisdom

And i dont see any host value or do i have to just add the line like below after sourcetype...

host = 192.168.1.254

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If it's not already there you can just add it, yes.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...