You'll need to change the
host field in inputs.conf at your data's source to get future events indexed with a host value you like.
i only see this inside my inputs.conf
disabled = false
sourcetype = syslog_wisdom
And i dont see any host value or do i have to just add the line like below after sourcetype...
host = 192.168.1.254
Thanks Joe for your time
i have i more question thou, as i want to monitor more than 100 network switches each under the same sourcetype but each switch obviously has unique host ip address is it possible to do like this below:
You would have to deploy one inputs.conf per switch with one host setting each.
...are you even deploying this to the switch, or are you running a forwarder on a central syslog server that gets data from all switches?
i am running a full splunk enterprise in a linux server that get logs from all switches.
can you please elaborate more on your first line i dont understand it.
There are a few approaches to this, best practices would be to configure your syslog server to drop all hosts in their own folders. E.g.;
From there, you can have either a wildcard monitor, or specific for each input. Along with this, use the host_segment directive in the monitor stanza:
[monitor:///mylogs/routers/*/*.log] sourcetype = mysourcetype host_segment = 3