Security
Highlighted

how to change host value of the field in splunk web?

Path Finder

The value of my host is localhost.localdomain and i want to replace the value with an IP address of my Network Switch, so that i can search using host "ip address".

Thanks

0 Karma
Highlighted

Re: how to change host value of the field in splunk web?

SplunkTrust
SplunkTrust

You'll need to change the host field in inputs.conf at your data's source to get future events indexed with a host value you like.

0 Karma
Highlighted

Re: how to change host value of the field in splunk web?

Path Finder

i only see this inside my inputs.conf

...

[monitor: ///var/log/H3C/information]
disabled = false
sourcetype = syslog_wisdom

And i dont see any host value or do i have to just add the line like below after sourcetype...

host = 192.168.1.254

0 Karma
Highlighted

Re: how to change host value of the field in splunk web?

SplunkTrust
SplunkTrust

If it's not already there you can just add it, yes.

0 Karma
Highlighted

Re: how to change host value of the field in splunk web?

Path Finder

In inputs.conf, set a host= value:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=192.168.1.254

--Joe

Highlighted

Re: how to change host value of the field in splunk web?

Path Finder

Thanks Joe for your time

i have i more question thou, as i want to monitor more than 100 network switches each under the same sourcetype but each switch obviously has unique host ip address is it possible to do like this below:

[monitor:///var/log/H3C/information]
disabled=false
sourcetype=syslog_wisdom
host=172.17.101.8
host=172.17.101.7
host=172.17.101.9
...

Thanks

0 Karma
Highlighted

Re: how to change host value of the field in splunk web?

SplunkTrust
SplunkTrust

You would have to deploy one inputs.conf per switch with one host setting each.

...are you even deploying this to the switch, or are you running a forwarder on a central syslog server that gets data from all switches?

0 Karma
Highlighted

Re: how to change host value of the field in splunk web?

Path Finder

i am running a full splunk enterprise in a linux server that get logs from all switches.

can you please elaborate more on your first line i dont understand it.

thanks martin

0 Karma
Highlighted

Re: how to change host value of the field in splunk web?

Splunk Employee
Splunk Employee

There are a few approaches to this, best practices would be to configure your syslog server to drop all hosts in their own folders. E.g.;

/mylogs/routers/%HOSTIP%/%hostIP%.log

From there, you can have either a wildcard monitor, or specific for each input. Along with this, use the host_segment directive in the monitor stanza:

[monitor:///mylogs/routers/*/*.log]
sourcetype = mysourcetype
host_segment = 3

Props.conf : http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Inputsconf

0 Karma