Splunk Search

Host override at search time

Path Finder

I want to override the Host value at search time, not at index time because I need to override it just in the context of a specific app.

EXTRACT-field = (?P<host>my_regex)

It does not work. Why?
Is there another way to do this?

Tags (2)


Does this work?

EXTRACT-field = (?P<otherField>my_regex)
EVAL-host = otherField
0 Karma


I had an another approach which is a bit hacky but seems to work so far:
Extracting the host with extract or report in a new field called host_temp (i used report and transforms)
Created an alias for host_temp to host

Thats it, don't ask me how stable that solution is.


I was able to do it in SPL for a top event (replacing the hostname with the extracted user name). Perhaps you could make a macro for ease of implementation?

Here's the sample event:

20861  root              20     0  130284    1956    1192   R    11.8     0.0       0:00.03  top

Here's the query:

index=os sourcetype=top| rex field=_raw "^\s+\d+\s+(?P<host>\w+)"
0 Karma

Path Finder

I don't think this is possible. I was trying to do the same thing. Here are instructions for overriding the host value. Note, however, that the doc for transforms.conf indicates that the DEST_KEY attribute is only valid for index-time operations. Also, the TRANSFORMS attribute in props.conf is only valid at index-time as well.

Given this, I plan on re-importing my data.

0 Karma

Path Finder

make sure u search within the context of the app

0 Karma

Path Finder

I am damn sure.
The problem is the name "host". If I try to give another name to my field, the EXTRACT works, but I need to override "host".

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...