Splunk Search

Host override at search time

Path Finder

I want to override the Host value at search time, not at index time because I need to override it just in the context of a specific app.

EXTRACT-field = (?P<host>my_regex)

It does not work. Why?
Is there another way to do this?

Tags (2)


Does this work?

EXTRACT-field = (?P<otherField>my_regex)
EVAL-host = otherField
0 Karma


I had an another approach which is a bit hacky but seems to work so far:
Extracting the host with extract or report in a new field called host_temp (i used report and transforms)
Created an alias for host_temp to host

Thats it, don't ask me how stable that solution is.


I was able to do it in SPL for a top event (replacing the hostname with the extracted user name). Perhaps you could make a macro for ease of implementation?

Here's the sample event:

20861  root              20     0  130284    1956    1192   R    11.8     0.0       0:00.03  top

Here's the query:

index=os sourcetype=top| rex field=_raw "^\s+\d+\s+(?P<host>\w+)"
0 Karma

Path Finder

I don't think this is possible. I was trying to do the same thing. Here are instructions for overriding the host value. Note, however, that the doc for transforms.conf indicates that the DEST_KEY attribute is only valid for index-time operations. Also, the TRANSFORMS attribute in props.conf is only valid at index-time as well.

Given this, I plan on re-importing my data.

0 Karma

Path Finder

make sure u search within the context of the app

0 Karma

Path Finder

I am damn sure.
The problem is the name "host". If I try to give another name to my field, the EXTRACT works, but I need to override "host".

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...