Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to change host value of the field in splunk web?

cebo_myeza
Path Finder
‎07-08-2015 07:11 PM

The value of my host is localhost.localdomain and i want to replace the value with an IP address of my Network Switch, so that i can search using host "ip address".

Thanks

0 Karma
Reply

jpvlsmv
Path Finder
‎07-13-2015 08:27 AM

In inputs.conf, set a host= value:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=192.168.1.254

--Joe

Reply

esix_splunk
Splunk Employee
Splunk Employee
‎07-16-2015 07:32 PM

There are a few approaches to this, best practices would be to configure your syslog server to drop all hosts in their own folders. E.g.;

/mylogs/routers/%HOSTIP%/%hostIP%.log

From there, you can have either a wildcard monitor, or specific for each input. Along with this, use the host_segment directive in the monitor stanza:

[monitor:///mylogs/routers/*/*.log]
sourcetype = mysourcetype
host_segment = 3

Props.conf : http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Inputsconf

0 Karma
Reply

cebo_myeza
Path Finder
‎07-16-2015 03:06 AM

Thanks Joe for your time

i have i more question thou, as i want to monitor more than 100 network switches each under the same sourcetype but each switch obviously has unique host ip address is it possible to do like this below:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=172.17.101.8
host=172.17.101.7
host=172.17.101.9
...

Thanks

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-16-2015 11:56 AM

You would have to deploy one inputs.conf per switch with one host setting each.

...are you even deploying this to the switch, or are you running a forwarder on a central syslog server that gets data from all switches?

0 Karma
Reply

cebo_myeza
Path Finder
‎07-16-2015 06:24 PM

i am running a full splunk enterprise in a linux server that get logs from all switches.

can you please elaborate more on your first line i dont understand it.

thanks martin

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 07:53 PM

You'll need to change the host field in inputs.conf at your data's source to get future events indexed with a host value you like.

0 Karma
Reply

cebo_myeza
Path Finder
‎07-08-2015 11:28 PM

i only see this inside my inputs.conf

...

[monitor: ///var/log/H3C/information]
disabled = false
sourcetype = syslog_wisdom

And i dont see any host value or do i have to just add the line like below after sourcetype...

host = 192.168.1.254

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 03:28 PM

If it's not already there you can just add it, yes.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...