Host name in inputs.conf file


I am trying to use a host name in the stanza [udp://foo.514] but the name is not taking, on the same subject if I have [udp://514] hostname = foo

this is ignored?

Is this just because I am using udp instead of tcp?

Splunk Employee
Splunk Employee

Correct. It does not work with UDP, since there are no "connections" on a UDP port. However, I am not certain that this would do what you might be thinking it does. Please elaborate on what you would like this setting to actually do.

Splunk Employee
Splunk Employee

.#* .# TCP: .#*

[tcp://:] .* Configure Splunk to listen on a specific port. .* If a connection is made from , this stanza is used to configure the input. .* If is blank, this stanza matches all connections on the specified port.

.#* .# UDP: .#*

[udp://] .* Similar to TCP, except that it listens on a UDP port.

all options that work for TCP should work for UDP as well. I believe your syntax might be a bit off though. Check the config file instructions:

.# The following configuration directs Splunk to listen on TCP port 9995 for raw data from .# All data is assigned the host "webhead-1", the sourcetype "access_common" and the .# the source "//"

[tcp://] host = webhead-1 sourcetype = access_common source = //

  • need to use foo:514
  • need to use host = foo

Lastly, if you actually want to see it being indexed as host = foo instead of host = you need to set the flag connection_host = none


0 Karma

Splunk Employee
Splunk Employee

There are a few places the host value may be set.
Is your inputs.conf on the indexer?

Beyond inputs.conf, host values can also be set using props.conf & transforms.conf.
You can extract the host value from the syslog message too.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...